07-17-2024 07:54 PM
My work's IT does not have any IPv6 set up on their networks. They have the Cisco VPN configured with "Tunnel Mode (IPv6): Drop All Traffic".
On Windows, this works fine. While I have AnyConnect connected, it blocks all IPv6.
I also use AnyConnect or Cisco Secure Client in an Ubuntu 22.04 VM. It blocks all IPv6 too. However, DNS look-ups are still getting AAAA records as well as A records. So various things try to connect to IPv6 addresses, and then either timeout after ~15 to 60 s, or wait forever.
Looking at /etc/resolv.conf, I see that it lists both my work's DNS server, and the local systemd-resolv on 127.0.0.53. Perhaps the systemd-resolv one is still returning AAAA records.
I am able to "fix" this with the following work-around: Before connecting the Cisco client, I do the following:
sudo sysctl net.ipv6.conf.default.disable_ipv6=1
Then, when the Cisco client connects, the machine only uses IPv4. But sometimes I forget to do this, and various things don't work well.
It would be great if the Cisco client could be improved so this works automatically.
07-17-2024 11:20 PM
are you using split tunneling ? if yes, enable tunnel all dns option on the headend
07-17-2024 11:55 PM
I don't have information about the headend, but might be able to work with the IT folks.
On the client, I can see:
Tunnel Mode (IPv4): Split Exclude
Tunnel Mode (IPv6): Drop All Traffic
07-18-2024 03:20 AM
A similar issue was reported for Windows too: https://community.cisco.com/t5/vpn/cisco-asa-anyconnect-vpn-clients-local-ipv6-causes-dns-issues/td-p/4738764. And the conclusion was that the best solution is to disable IPv6 on the client. tunnel-all-dns might help too as @ccieexpert mentioned.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide