anyconnect WSL 2 - Windows Substem for Linux

After starting anyconnect I find network connectivity stops working under WSL2 (Windows Substem for Linux)

the fix seems to be:


Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 4000
Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1

we are using version 4.5.000 I have searched the release notes and can find no metion of wsl so I presume it's still broken in the latest


Is it possible this change could be incorporated into the product?

Cisco Employee

I too have the same problem. Changing the metric did not work. As soon as i connect to Cisco VPN, WSL2 looses connectivity to the internet as well connectivity to the host via WSL network adapter. Ping using loopback IPs works but not via the virtual ethernet adapters.


Host IP:



WSL info:


Cisco Employee

My team member had this problem too. Of three people on my team with nominally the same setup (Ubuntu 18.04 in WSL2), only one has run into this. Setting the Interface Metric initially fixed it, but then after a few hours (without restarting the VPN or WSL) it stopped again, and resetting them has not restored the connection.

Cisco Employee

Interesting! Only 1 of 3 is facing the issue? If you search the internet it is a wide spread issue to people using Cisco Anyconnect. I think it is something todo with bypassing VPN for local routes and/or NATing.

Cisco Employee

Yeah, still not sure why only one of the team ran into this, but the solution for us was the combination of the Set-NetIPInterface commands above and replacing the /etc/resolv.conf file as described here or here. (The resolv.conf fix by itself was not enough.)


trap ctrlC INT

removeTempFiles() {
	rm -f $TMP

ctrlC() {
	echo "Trapped Ctrl-C, removing temporary files"
	stty sane

echo "Current resolv.conf"
echo "-------------------"
cat /etc/resolv.conf

echo "Creating new resolv.conf"
echo "------------------------"

	head -1 /etc/resolv.conf | grep '^#.*generated'
	for i in `/mnt/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -Command "Get-DnsClientServerAddress -AddressFamily ipv4 | Select-Object -ExpandProperty ServerAddresses"`; do 
		echo nameserver $i
	tail -n+2 /etc/resolv.conf | grep -v '^nameserver'
} | tr -d '\r' | tee $TMP

(set -x; sudo cp -i $TMP /etc/resolv.conf)


I had the same issue and your PowerShell Solution worked for me but it was very annoying to do it manually every time AnyConnect established a VPN Connection.

I now found out that installing Hyper-V on my machine somehow fixed the Problem. I initially wanted to check if there was anything in the Hyper-V Network settings i could change but i didn't need to configure anything. Simply installing Hyper-V was enough.

ok, maybe i was a bit too fast. it somehow worked for a while but now i'm back to powershell


This worked for me, thanks for posting your solution.   Now just need to automate this step.

I created 2 powershell scripts to accomplish the automation.   One launches powershell as admin and the second executes the network interface commands. I added the following to my .bashrc:  powershell.exe -F "C:\Users\jedunn\pwsh\doit.ps1". The only annoying issue is that it still has a UAC prompt.  



1st script contents  of doit.ps1

start-process powershell -verb runas -ArgumentList '-F "netinterface.ps1"'


2nd scripts contents of netinsterface.ps1 

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 4000
Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1

I tried this step here an that work. I can now ping or anything. Now I just can't resolved by dns by names. 

You may need to modify your /etc/resolv.conf with your DNS servers

Like @ramuddan, the 2 powershell commands (Get-NetAdapter and Get-NetIPInterface) + using the dns servers returned by Get-DnsClientServerAddress -AddressFamily ipv4 | Select-Object -ExpandProperty ServerAddresses in the wsl2 /etc/resolv.conf didn't solve this issue for me. It seems to me that the wsl2 machine cannot reach the dns servers. For example, dig returns connection timed out; no servers could be reached and this command git clone git@my-company-git:xxx returns ssh: could not resolve host name ...

My AnyConnect version is 4.9.04053.


When I don't have Cisco AnyConnect running, the wsl2 machine cannot connect to the Internet either. Maybe because I'm using Symantec Endpoint Protection + windows Defender Firewall. This is what I have to do to make the wsl2 machine connect to the Internet:

- windows ipconfig /all returns

Ethernet adapter vEthernet (WSL):

IPv4 Address. . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :

- in the wsl2 machine, I need to run:

ip addr add dev eth0

ip route delete default

ip route add default via

- add the dns servers my windows machine uses to /etc/resolv.conf

- and have to enable the "Allow other network users ..." in the Wi-Fi adapter


Have you tried turing off ipv6 support on your main network adaptor?

Not a long term solution I know but it might eliminate one more thing...

Cisco Employee

I had follow the steps here without success.