Solved: AnyConnect blocks IPv6 DNS requests

Heitkamp · ‎04-06-2020

Hi guys!

We have the problem that all DNS requests via IPv6 are blocked by AnyConnect. If you deactivate IPv6 in the network adapters in Windows, then everything works fine. But we cannot make this setting on every device.
Is there a good solution for this, that we can handle IPv6 DNS requests?

Thanks and greetings!

Cristian Matei · ‎04-06-2020

Hi,

Can you try adding the following to your group-policy: "ipv6-split-tunnel-policy tunnelspecified"? Disconnect and reconnect with AC.

Regards,

Cristian Matei.

View solution in original post

Cristian Matei · ‎04-06-2020

Hi,

Do you need any kind of IPv6 traffic being sent over the VPN session? Or you just need the endpoint to run IPv6 outside of the tunnel?

Regards,

Cristian Matei.

Heitkamp · ‎04-06-2020

Hi Cristian,
I don't need any kind of IPv6 traffic going through the session. I just need to reply to DNS requests using IPv6.
Greetings

Cristian Matei · ‎04-06-2020

Hi,

Can you try adding the following to your group-policy: "ipv6-split-tunnel-policy tunnelspecified"? Disconnect and reconnect with AC.

Regards,

Cristian Matei.

bcoverstone · ‎12-19-2022

I know this is two years old, but having the same issue.

I do have "ipv6-split-tunnel-policy tunnelspecified" in the group-policy.

IPv6 addresses only seem to look up while the VPN is not connected. Using Wireshark, DNS requests only ask for type "A" instead of "AAAA". However, if I manually run a request with nslookup I can issue "set type=AAAA" and it works fine, so "AAAA" lookups are not blocked.

The default operating system lookup prefers only "A" records when the VPN is connected (i.e. ping www.kame.net returns 210.155.141.200).

Is there a setting somewhere to prevent Anyconnect from limiting the DNS query type to "A"?