Solved: Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected v... - Page 3

razvan1979 · ‎10-23-2014

I have encounter a starange situation with Yosemite and Cisco AnyConnect Secure Mobility Client (all recent versions including latest 3.1.05187).

If the mac is using the internet connection of the iPhone (via Bluetooth or WiFi), when I connect with the client everything stops working, from the Internet to the traffic over the tunnel, we are using Split Tunnel with Split DNS for our internal addresses. Somehow the DNS is not working anymore.

I can ping via IP but not by name, also cannot ping any address from internet unless I add again manually the default route.

Anybody encounter this problem?

tim.economides · ‎01-12-2015

All - I have a solution for this problem.

In your AnyConnect Group Policy, go to Advanced > Split Tunneling

for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no".

For reasons I've not yet figured out, Yosemite does not like tunneling all DNS lookups through the tunnel.

If this is a sticking point for your environment, you may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

Good luck!

-Tim

davidshulman · ‎01-13-2015

Sorry, but this does not solve the issue for us. This is the exact configuration we already have and we have had it from the beginning of this problem appearing. This is clearly an incompatibility with Anyconnect and Yosemite. The ONLY success I have had is with a pocket router in between my iPhone Hotspot and my laptop running Yosemite. It is an ugly hack, but at least I am portable(ish) again.

tim.economides · ‎01-13-2015

Hi David -

i used this solution for 6 different customers of mine today and it universally solved it. Check your splittunnel settings across the board as well as DNS and domain name related bits in your group profile. Feel free to post your webvpn config too.

davidshulman · ‎01-13-2015

Tim - I have the same configuration as razvan1979 and it does not work

tim.economides · ‎01-13-2015

Which AnyConnect and OS X versions? I'm on 3.1.06073 and 10.10.1 respectively.

razvan1979 · ‎01-13-2015

Hello Tim,

I have the same version mate, exactly the same, maybe something is missing in my config!

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
ping: sendto: No route to host
Request timeout for icmp_seq 2
ping: sendto: No route to host
Request timeout for icmp_seq 3
ping: sendto: No route to host
Request timeout for icmp_seq 4
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss

cat /etc/resolv.conf
cat: /etc/resolv.conf: No such file or directory

group-policy GP-XXX internal
group-policy GP-XXX attributes
dns-server value 172.xx.xx.xx 10.xx.xx.xx
vpn-simultaneous-logins 2
vpn-idle-timeout 60
vpn-filter value ACL-XXX
vpn-tunnel-protocol ikev2 ssl-client
group-lock value TN-XXX
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITUNNEL
split-dns value hs2 dc2 office qxlint
address-pools value VPNPOOL-XXX

Chioke Jaffree · ‎03-13-2015

I've managed to get the "split-tunnel-all-dns disable" workaround working on one of my ASAs, but not on the other. Apparently, asa version 9.0 or better is required.

More detail in recent post here: https://discussions.apple.com/thread/6728046

razvan1979 · ‎01-13-2015

Strange because I have this type of config from the start, because we use Split-DNS!

gishroff · ‎01-13-2015

hi tim can you please guide me to find AnyConnect Group Policy for me to try the solution

simon.anthony · ‎03-17-2015

As above OS X 10.10.2 AnyConnect 3.1.07021 iOS 8.2 - tethered (hotspot) connection. Adding the local domain name/DNS lookup setting (which is unchanged in this instance) as per tim.economides suggestion appears to resolve the issue (after initial testing)!

scott00011111111 · ‎03-11-2015

Same issue here. As an end user, I apparently don't have access to the Group Policy to edit it.

georgeocrawford · ‎03-12-2015

I think tethering + AnyConnect is working for me again with the recent iOS 8.2 update!

simon.anthony · ‎03-16-2015

OS X 10.10.2 AnyConnect 3.1.07021 iOS 8.2 - tethered (hotspot) connection - when VPN active - Internet/DNS/Local Network unavailable - the problem is still as per razvan1979's original observation.

WG Network Team · ‎03-31-2015

Gentlemen,

Seems that we have a solution. Try to follow this picture to enable client bypass protocol. It works for us

OR

enter "client-bypass-protocol enable" in group-policy attributes section using CLI

gavinharper13 · ‎03-31-2015

This would require an expensive update for us. What version ASDM are you running?

Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot