This bug had been unsolved for about a year now, is there any hope of fixing it at all?

We don't need to route IPv6 traffic through ASA at all. Please enable "Client Bypass Protocol" feature, We need to enable it under specific tunnel-group: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/configure_vpn.html#ID-1428-0000038a

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-groups.html#ID-2439-00000dc4__ID-2439-00000e25

So that way only IPv4 traffic will flow through the tunnel and IPv6 will not be blackholed by AnyConnect, It will go in clear form through the client's network. So that way traffic to sidecar enabled device will not hit tunnel.

Your feedback is highly appreciated 

Hi, this worked fine for me. I have an ASA 5506-X, Enabled Client Bypass Protocol as directed on AnyConnect Group Policy and Sidecar is up and running now. A note to all end users reading this, this change cannot be made by you, it needs to be made by whoever manages your AnyConnect service.

Dear giorgio.f,

Sorry no news from Cisco. I solved the problem by using OpenConnect from the command line. This is a little bit of installation work but since then I have no interference with Sidecar or Airdrop... I'm sure that there are also OpenConnect Apps around for macOS. 

Hi giorgio.f, you need to get whoever manages your AnyConnect VPN service to make the changes given above by ishqaira to enable Client Bypass Protocol option. You cannot do this as an end user, just send the post from ishqaira to whoever looks after the AnyConnect service you use. It took me 30 secoonds to make the changes on mine and Sidecare is up and running.

Hi thias,

I'd be interested to know why he thought it was risky, if you could get a fuller explanation from him that would be great.

The way i understand the feature it changes the behaviour if assigned an ipv4 address on the AnyConnect tunnel that it would stop any ipv6 traffic being routed over it so staying on the client LAN (thus allowing services like SideCare to work).

I wouldn't say this is risky behaviour but may be more unwanted.

It comes down to how your company network is set up, are they using a proxy for internet breakout, are they routing all traffic over VPN or select subnets etc.

If Cisco (ishqaira) are offering advise that poses a secuirty risk then it is in all our interests to know.

The Client Protocol Bypass feature allows you to configure how the ASA manages IPv4 traffic when it is expecting only IPv6 traffic or how it manages IPv6 traffic when it is expecting only IPv4 traffic.

When the AnyConnect client makes a VPN connection to the ASA, the ASA could assign it an IPv4, IPv6, or both an IPv4 and IPv6 address. If the ASA assigns the AnyConnect connection only an IPv4 address or only an IPv6 address, you can now configure the Client Bypass Protocol to drop network traffic for which the ASA did not assign an IP address, or allow that traffic to bypass the ASA and be sent from the client unencrypted or “in the clear”.

For example, assume that the ASA assigns only an IPv4 address to an AnyConnect connection and the endpoint is dual stacked and using SideCar. When the endpoint attempts to reach an IPv6 address (SideCar), if Client Bypass Protocol is disabled, the IPv6 traffic is dropped; however, if Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client to SideCar in the clear.

The security risk lays behind your LAN robustness and how Mac sends this IPv6 traffic between your machine and the Car.

Is this still fixed?

I'm running AnyConnect 4.9.04053 and Big Sur 11.1 and Sidecar is still disconnecting anytime I connect to VPN. 

EDIT: Works over wifi but if the iPad is plugged into the computer it won't