Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3796
Views
5
Helpful
14
Replies

IPv6 addresses on LAN adapter causing AnyConnect VPN to reconnect

Go to solution
dmills488
Level 1
Level 1

‎12-24-2020 08:35 AM

I am seeing end users having their VPN connection disconnected and reconnected when IPv6 addresses change on the LAN network adapter. I've disabled IPv6 on the AnyConnect adapter, Microsoft won't provide support if IPv6 is disabled on the physical adapter, and I have no control over the end user's home network. 

 

Below are log examples showing additional IPv6 addresses added to Wi-Fi adapter, Ethernet 2 is the AnyConnect adatper.

 

2020-

12-17 09:16:17

2073IP addresses from active interfaces: Ethernet 2: 10.x.x.1 Wi-Fi: 192.168.1.96, 2600:1700:x:x:x:x:x:44, FE80:x:x:x:x:x:x:FAA8
2020-12-17 09:21:512012Reconfigure reason code 15: New network interface.
2020-12-17 09:21:512073IP addresses from active interfaces: Ethernet 2: 10.x.x.1 Wi-Fi: 192.168.1.96, 2600:1700:x:x:x:x:x:44, 2600:1700:x:x:x:x:x:FAA8, 2600:1700:x:x:x:x:x:C51A, FE80:x:x:x:x:x:x:FAA8
2020-12-17 09:21:512070A new network interface address has been detected.
2020-12-17 09:21:522040The entire VPN connection has been reconfigured.

 

Between IPv6 privacy extensions and temporary addresses it seems that IPv6 is designed to function this way. Has anyone experienced these AnyConnect disconnects when IPv6 is used on the end user's network?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
14 Replies 14

Go to solution
marce1000
VIP
VIP

‎12-25-2020 12:50 AM

 

   - Make sure , users are using the correct network adapter before connecting with AnyConnect (on the second line).

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
dmills488
Level 1
Level 1

‎01-05-2021 11:18 AM

The user is connected to the correct network adapter before connecting with AnyConnect.

Once connected with AnyConnect the user is not switching network adapters. 

 

The "new network interface" seems to be the new IPv6 addresses that are showing up on the same network adapter.

 

 

0 Helpful

Go to solution
dmills488
Level 1
Level 1

‎01-20-2021 07:57 AM

We believe we're running into this bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv93458

It does seem like this impacts users who do have IPv6 privacy extensions feature disabled.

0 Helpful

Go to solution
prestonhuang
Level 1
Level 1

‎05-05-2021 07:09 AM

Cisco team, are there any plans to implement a fix for this in a future AnyConnect client release, so that IPv6 privacy extensions can remain enabled?

0 Helpful

Go to solution
anthony pharo
Level 1
Level 1
In response to gajownik

‎06-01-2023 06:17 AM

Gajownik, 

How would I view this bug in Wireshark?

0 Helpful

Go to solution
gajownik
Cisco Employee
Cisco Employee
In response to anthony pharo

‎06-01-2023 07:15 AM

What do you mean exactly by "view this bug in Wireshark"?

1) 4.10.01075 was released 2 years ago and if you run anything newer you definitely did not hit this bug.
2) Wireshark is not the best tool to verify if you hit this specific bug.

Tunnel flap is triggered by assigning/removal of the temporary IPv6 address to the interface. You might not even see a packet sent using new IPv6 address in the collected capture.

3) Better approach would be collecting DART bundle and verifying Cisco AnyConnect Secure Mobility Client/AnyConnect.txt file.

0 Helpful

Go to solution
anthony pharo
Level 1
Level 1
In response to gajownik

‎06-01-2023 07:22 AM

Thank you for your response gajownik,

What should I be looking for in the DART Bundle that would point to the IPV6 issue?

Thank you. 

Anthony

 

0 Helpful

Go to solution
anthony pharo
Level 1
Level 1
In response to anthony pharo

‎06-01-2023 07:35 AM

We do not have a hardcoded IPv6 address on the ASA’s. That is part of the reason this testing is being done. We need to verify the code handles that response correct.  teams.microsoft.com responds with an IPv6 address, and it is the first response. If the end user is routing IPv6 and the response is IPv6 first, what happens? We know this issue exists; we ran into it within code 01075.  Thank U Gajownik

0 Helpful

Go to solution
gajownik
Cisco Employee
Cisco Employee
In response to anthony pharo

‎06-01-2023 07:43 AM

You should check for the log messages posted in the initial message from this thread. If you run version 4.10.01075 then you definitely are not affected by bug CSCvv93458 and your problem is not related to issue discussed in this thread.

0 Helpful

Go to solution
TCAM
Level 1
Level 1
In response to gajownik

‎01-09-2024 05:43 PM

Hi - gajownik

Can you confirm CSCvv93458 was also fixed in Cisco Secure client?  I am running v 5.1.1.42, i am still seeing the issue. VPN tunnel restarted when temporary IPv6 addresses was created or modified.

0 Helpful

Go to solution
adamparker
Level 1
Level 1

‎01-04-2023 04:50 PM

I am experiencing this issue on AnyConnect version 4.10.05085. Is bug CSCvv93458 still affecting this version?

0 Helpful

Go to solution
Harold Ritter
Cisco Employee
Cisco Employee

‎01-04-2023 05:29 PM

Hi @adamparker ,

This specific bug is fixed in the release you are currently running.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Go to solution
adamparker
Level 1
Level 1
In response to Harold Ritter

‎01-05-2023 03:24 PM

Thanks for verifying! I will open a ticket with support.

0 Helpful
Customers Also Viewed These Support Documents