Blocking IPv6 with Linux client

craig5381 · ‎07-17-2024

My work's IT does not have any IPv6 set up on their networks. They have the Cisco VPN configured with "Tunnel Mode (IPv6): Drop All Traffic".

On Windows, this works fine. While I have AnyConnect connected, it blocks all IPv6.

I also use AnyConnect or Cisco Secure Client in an Ubuntu 22.04 VM. It blocks all IPv6 too. However, DNS look-ups are still getting AAAA records as well as A records. So various things try to connect to IPv6 addresses, and then either timeout after ~15 to 60 s, or wait forever.

Looking at /etc/resolv.conf, I see that it lists both my work's DNS server, and the local systemd-resolv on 127.0.0.53. Perhaps the systemd-resolv one is still returning AAAA records.

I am able to "fix" this with the following work-around: Before connecting the Cisco client, I do the following:

sudo sysctl net.ipv6.conf.default.disable_ipv6=1

Then, when the Cisco client connects, the machine only uses IPv4. But sometimes I forget to do this, and various things don't work well.

It would be great if the Cisco client could be improved so this works automatically.

ccieexpert · ‎07-17-2024

are you using split tunneling ? if yes, enable tunnel all dns option on the headend

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html#toc-hId-1163724757

craig5381 · ‎07-17-2024

I don't have information about the headend, but might be able to work with the IT folks.

On the client, I can see:

Tunnel Mode (IPv4): Split Exclude
Tunnel Mode (IPv6): Drop All Traffic

tvotna · ‎07-18-2024

A similar issue was reported for Windows too: https://community.cisco.com/t5/vpn/cisco-asa-anyconnect-vpn-clients-local-ipv6-causes-dns-issues/td-p/4738764. And the conclusion was that the best solution is to disable IPv6 on the client. tunnel-all-dns might help too as @ccieexpert mentioned.