Cisco AnyConnect Drop All IPv6 Traffic

Denis Orlov · ‎07-17-2018

Hi, guys.

We have two Cisco ASA 5515X in Active/Standby mode.

Both ASA works using this version of system image - asa982-38-smp-k8.bin.

We use these ASA as Remote Access VPN Server with Cisco AnyConnect.

Cisco AnyConnect Version is 4.5.05030.

###########################################################

Here is AnyConnect settings:

tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool AnyConnect-pool
ipv6-address-pool AnyConnect-poolIPv6
ipv6-address-pool AnyConnect-poolIPV6_NEW
authentication-server-group AuthServerGroup
authorization-server-group AuthServerGroup
default-group-policy GroupPolicy_AnyConnect
strip-realm
authorization-required
tunnel-group AnyConnect webvpn-attributes
group-alias Users-VPN enable

<...>

group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value x.x.x.x y.y.y.y
vpn-tunnel-protocol ikev1 ikev2 ssl-client
password-storage disable
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelspecified
split-tunnel-network-list value AnyConnectSplitTunnelNetworks
default-domain value ourdomain.local
split-dns value ourdomain1.local ourdomain2.local ourdomain3.local
split-tunnel-all-dns enable
address-pools value AnyConnect-pool
ipv6-address-pools value AnyConnect-poolIPV6
webvpn
anyconnect ssl keepalive none
anyconnect profiles value AnyConnect_client_profile type user
always-on-vpn profile-setting

<...>

ip local pool AnyConnect-pool 10.12.201.10-10.12.201.200 mask 255.255.255.0

pv6 local pool AnyConnect-poolIPv6 2000:babe:babe:babe::1/64 512

<...>

access-list AnyConnectSplitTunnelNetworks extended permit ip 10.10.0.0 255.255.0.0 any4
access-list AnyConnectSplitTunnelNetworks extended permit ip object ipv6_anyconnect_pool any6

<...>

object network ipv6_anyconnect_pool subnet 2000:babe:babe:babe::/64

#####################################################

So we last two days we start to get strange behavior in Cisco AnyConnect Client.

When VPN connection initiated, in the AnyConnect Settings we see the folowing:

So, in this case AnyConnect Client cannot connect to any IPv6 resources in our internal network.

Also I must to note that on last week we updated Cisco ASA image from asa982-28-smp-k8.bin to asa982-38-smp-k8.bin.

Is there anybody faced with such issues?

Please, help.

Rahul Govindan · ‎07-17-2018

Looks like your ipv6 ip address is not getting assigned to the user. Can you check the ASA syslogs while the connection takes place? Also make sure "ipv6-vpn-addr-assign local" is enabled.

The only bug related to ipv6 was a fix in the version you are running, so might not be related:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi95544

Denis Orlov · ‎07-17-2018

@Rahul Govindan wrote:

Looks like your ipv6 ip address is not getting assigned to the user. Can you check the ASA syslogs while the connection takes place? Also make sure "ipv6-vpn-addr-assign local" is enabled.

Yes, this note is correct, but we already fix this problem. Also I must to note, that this setting (ipv6-vpn-addr-assign local) was changed after update.

But now we see that problem is still present but not for all users. Some users, when they connect using Cisco AnyConnect still faced with problem when they do not assinged IPv6 address and still faces with problem "Drop All traffic" for IPv6.

the following way:

But some of users have no problem at all.

For example here is AnyConnect screenshot without problems:

kataliyst · ‎05-18-2023

Did you ever solve this?

I notice this is happening with Anyconnect 4.10, but 4.8 will get IPv6 no problem.

I cannot upgrade past 9.1.6 on our ASA.

This is actually our problem - 4.10 does not see the tunnel all anymore.

kataliyst · ‎05-18-2023

Did you ever solve this? I notice this is happening with Anyconnect 4.10, but 4.8 will get IPv6 no problem.

I cannot upgrade past 9.1.6 on our ASA.