cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
17129
Views
10
Helpful
13
Replies
Martin83501
Beginner

anyconnect WSL 2 - Windows Substem for Linux

After starting anyconnect I find network connectivity stops working under WSL2 (Windows Substem for Linux)

the fix seems to be:

 

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 4000
Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1

we are using version 4.5.000 I have searched the release notes and can find no metion of wsl so I presume it's still broken in the latest

 

Is it possible this change could be incorporated into the product?

13 REPLIES 13
ramuddan
Cisco Employee

I too have the same problem. Changing the metric did not work. As soon as i connect to Cisco VPN, WSL2 looses connectivity to the internet as well connectivity to the host via WSL network adapter. Ping using loopback IPs 127.0.1.1 works but not via the virtual ethernet adapters.

 

Host IP:

Capture.JPG

 

WSL info:

wsl.JPG

lucienc
Cisco Employee

My team member had this problem too. Of three people on my team with nominally the same setup (Ubuntu 18.04 in WSL2), only one has run into this. Setting the Interface Metric initially fixed it, but then after a few hours (without restarting the VPN or WSL) it stopped again, and resetting them has not restored the connection.

ramuddan
Cisco Employee

Interesting! Only 1 of 3 is facing the issue? If you search the internet it is a wide spread issue to people using Cisco Anyconnect. I think it is something todo with bypassing VPN for local routes and/or NATing.

lucienc
Cisco Employee

Yeah, still not sure why only one of the team ran into this, but the solution for us was the combination of the Set-NetIPInterface commands above and replacing the /etc/resolv.conf file as described here or here. (The resolv.conf fix by itself was not enough.)

#!/bin/bash

TMP=`mktemp`
trap ctrlC INT

removeTempFiles() {
	rm -f $TMP
}

ctrlC() {
	echo
	echo "Trapped Ctrl-C, removing temporary files"
	removeTempFiles
	stty sane
}

echo "Current resolv.conf"
echo "-------------------"
cat /etc/resolv.conf

echo
echo "Creating new resolv.conf"
echo "------------------------"

{ 
	head -1 /etc/resolv.conf | grep '^#.*generated'
	for i in `/mnt/c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -Command "Get-DnsClientServerAddress -AddressFamily ipv4 | Select-Object -ExpandProperty ServerAddresses"`; do 
		echo nameserver $i
	done
	tail -n+2 /etc/resolv.conf | grep -v '^nameserver'
} | tr -d '\r' | tee $TMP

(set -x; sudo cp -i $TMP /etc/resolv.conf)

removeTempFiles
tsia
Beginner

I had the same issue and your PowerShell Solution worked for me but it was very annoying to do it manually every time AnyConnect established a VPN Connection.

I now found out that installing Hyper-V on my machine somehow fixed the Problem. I initially wanted to check if there was anything in the Hyper-V Network settings i could change but i didn't need to configure anything. Simply installing Hyper-V was enough.

ok, maybe i was a bit too fast. it somehow worked for a while but now i'm back to powershell

mrlinux11
Beginner

This worked for me, thanks for posting your solution.   Now just need to automate this step.

I created 2 powershell scripts to accomplish the automation.   One launches powershell as admin and the second executes the network interface commands. I added the following to my .bashrc:  powershell.exe -F "C:\Users\jedunn\pwsh\doit.ps1". The only annoying issue is that it still has a UAC prompt.  

 

 

1st script contents  of doit.ps1

start-process powershell -verb runas -ArgumentList '-F "netinterface.ps1"'

 

2nd scripts contents of netinsterface.ps1 

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 4000
Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1

I tried this step here an that work. I can now ping 8.8.8.8 or anything. Now I just can't resolved by dns by names. 

You may need to modify your /etc/resolv.conf with your DNS servers

Like @ramuddan, the 2 powershell commands (Get-NetAdapter and Get-NetIPInterface) + using the dns servers returned by Get-DnsClientServerAddress -AddressFamily ipv4 | Select-Object -ExpandProperty ServerAddresses in the wsl2 /etc/resolv.conf didn't solve this issue for me. It seems to me that the wsl2 machine cannot reach the dns servers. For example, dig www.youtube.com returns connection timed out; no servers could be reached and this command git clone git@my-company-git:xxx returns ssh: could not resolve host name ...

My AnyConnect version is 4.9.04053.

 

When I don't have Cisco AnyConnect running, the wsl2 machine cannot connect to the Internet either. Maybe because I'm using Symantec Endpoint Protection + windows Defender Firewall. This is what I have to do to make the wsl2 machine connect to the Internet:

- windows ipconfig /all returns

Ethernet adapter vEthernet (WSL):

IPv4 Address. . . . . . . . . . . : 192.168.137.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0

- in the wsl2 machine, I need to run:

ip addr add 192.168.137.2/24 dev eth0

ip route delete default

ip route add default via 192.168.137.1

- add the dns servers my windows machine uses to /etc/resolv.conf

- and have to enable the "Allow other network users ..." in the Wi-Fi adapter

Untitled.png

Have you tried turing off ipv6 support on your main network adaptor?

Not a long term solution I know but it might eliminate one more thing...

iroperto
Cisco Employee

I had follow the steps here without success.