cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22821
Views
17
Helpful
10
Replies

How to Disable IPv6 on AnyConnect

Is there an option to disable IPv6 when connecting AnyConnect?

 

IPv6.png

1 Accepted Solution

Accepted Solutions

Jerome BERTHIER
Level 1
Level 1

These IPv6 addresses are Link local addresses.

 

I guess that it is relative to the local policy of your terminal wich enables IPv6 Link local adressing on any interface (and that's normal).

To my mind, there's no way to manage that with AnyConnect (even if you do not put any IPv6 pool on the VPN setup).

 

Why do you care about theses addresses ? It is just local on your client (and I guess not even known by the ASA).

 

Regards,

View solution in original post

10 Replies 10

Pawan Raut
Level 4
Level 4

Make sure Local address Pool for ipv6 is not configure 

IPv6 not configured

Jerome BERTHIER
Level 1
Level 1

These IPv6 addresses are Link local addresses.

 

I guess that it is relative to the local policy of your terminal wich enables IPv6 Link local adressing on any interface (and that's normal).

To my mind, there's no way to manage that with AnyConnect (even if you do not put any IPv6 pool on the VPN setup).

 

Why do you care about theses addresses ? It is just local on your client (and I guess not even known by the ASA).

 

Regards,

A couple times now I'm seeing the clients local connection using IPV6 for DNS.  Once the client connects to our ASA their internet browsing ability stops as we have split tunneling but Anyconnect is dropping all IPV6 traffic.  Unchecking IPV6 on Anyconnect and their NIC solves this but it'd be nice to fix it for everyone.

Hi,

 

I understand that you provide an IPv4 only service through AnyConnect and you need to leave IPv6 traffic free to go outside the VPN if available on the terminal.

To do that, you have to enable protocol bypass on the group policy :

group-policy your_VPN_policy attributes
client-bypass-protocol enable

 

Regards,

This was exactly what I needed to solve a problem with clients connecting using a 5G router, that uses IPv6 address from the private IP range (fc00::/7) for DNS.

Thank you so much for the "client-bypass-protocol" hint.

 

girafskind
Level 1
Level 1

They're right, it doesn't matter since its link-local addresses, but to remove them, just disable TCP/IPv6 on the Anyconnect interface.

IainAldridge
Level 1
Level 1

Hi,

 

We had this same issue and after a little bit of searching on the ASA you can remove these IPv6 addresses by changing the AnyConnect Client Profile.

So on the ASA go to:

 

Remote Access VPN > Network (Client) Access > AnyConnect Client Profile 

Then either select the relevant profile for the Group Policy linked to your tunnel or create a new profile and link it to the relevant Group Profile.

 

Then Edit the Client Profile and on 'Preferences (Part 1)' scroll to the bottom and where there is the option 'IP Protocol Supported' change it to just IPv4.

 

Now the AnyConnect Client will only have a IPv4 address and not the LinkLocal IPv6 addresses.

Hi

This is a well known option but it is not documented to do what you expect.

This option is a way to choose which IP protocol the client AnyConnect should use and, in which order, in order to connect to the ASA if the VPN SSL interface of the ASA itselft  is addressed as dual stacked IPv4/IPv6.


It does not affect the IP protocol on the tunnel interface (at least, this is not documented).

Do you confirm the behavior you describe ? Is it tested ?

 

 

Here the documentation :

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/administration/guide/b_AnyConnect_Administrator_Guide_4-9/anyconnect-profile-editor.html

 


IP Protocol Supported—For clients with both an IPv4 and IPv6 address attempting to connect to the ASA using AnyConnect, AnyConnect needs to decide which IP protocol to use to initiate the connection. By default AnyConnect initially attempts to connect using IPv4. If that is not successful, AnyConnect attempts to initiate the connection using IPv6.

This field configures the initial IP protocol and order of fallback.

IPv4—Only IPv4 connections can be made to the ASA.

IPv6—Only IPv6 connections can be made to the ASA.

IPv4, IPv6—First, attempt to make an IPv4 connection to the ASA. If the client cannot connect using IPv4, then try to make an IPv6 connection.

IPv6, IPv4—First attempt to make an IPv6 connection to the ASA. If the client cannot connect using IPv6 then try to make an IPv4 connection.

I'm suffering from the same problems as mentioned here, so I just tested this. As expected, regardless of the configured setting in the profile, the AnyConnect adapter always has a link-local IPv6 address as shown in the initial posts screenshot. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: