Re: ipv6 link-local causing TND to fail

richyvrlimited · ‎01-06-2025

Is there a way to configure SecureClient to ignore IPv6 addresses?

I can see in logs that WiFi adaptors are self issuing FE80 IPv6 addresses, we use DNS servers for TND so this then fails and the client attempts to connect when on site.

I can see the following entry in the profile XML:

would changing to just IPV4 be the best fix?

ccieexpert · ‎01-06-2025

i am not exactly sure what is the problem.. with DNS servers only one of the trusted DNS servers needs to match for it to be detect that it is in a trusted network.. Can you attach part of the DART anyconnect log snip so we can see the problem. if there are other DNS servers such as IPV6, it should just ignore them as one of the DNS server matching should disable VPN... atleast that has been my experience although it has been a while.

the setting you talked about is for connect to the vpn headend, whether ipv4 or ipv6 will be preferred. nothing to with local machine or TND.

richyvrlimited · ‎01-07-2025

Well that's the thing, with the IPV6 link local address there is no DNS server so it's not trusted says as much in the VPN logs

As a test I disabledd IPv6 on the client and never got the issue again so it's definitely that. but I don't want to have to disabled IPv6 across the board for the entire estate.

@ccieexpert wrote:
the setting you talked about is for connect to the vpn headend, whether ipv4 or ipv6 will be preferred. nothing to with local machine or TND.

I'm confused by that statement, it's a policy on the local machine so why would it have nothing to do with it? Genuine question I obviously don't understand it!

ccieexpert · ‎01-07-2025

<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport> is a configuration option for Cisco AnyConnect that specifies the order in which the client will attempt to connect to a Secure Firewall ASA:

IPv4, IPv6

The client will first try to connect using IPv4, and then IPv6 if that fails
IPv6, IPv4

The client will first try to connect using IPv6, and then IPv4 if that fails

The client will continue to fail over to the alternate IP protocol until the current IP address is no longer reachable.

so that is the protocol used to connect to a headend that has both ipv4 and ipv6 enabled.. it is for the tunnel establishment.. nothing to do with local setting..

My point is that the same wifi interface is getting a ipv4 address with DNS settings....so TND should check that dns setting from that.. did you verify that ipv4 is being assigned.. i would like to see what happens please attach or send me a anyconnect log file or the DART either here or DM me...

richyvrlimited · ‎01-08-2025

@ccieexpert wrote:
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport> is a configuration option for Cisco AnyConnect that specifies the order in which the client will attempt to connect to a Secure Firewall ASA:

IPv4, IPv6
The client will first try to connect using IPv4, and then IPv6 if that fails
IPv6, IPv4
The client will first try to connect using IPv6, and then IPv4 if that fails
The client will continue to fail over to the alternate IP protocol until the current IP address is no longer reachable.
so that is the protocol used to connect to a headend that has both ipv4 and ipv6 enabled.. it is for the tunnel establishment.. nothing to do with local setting..

Yes, but... the local client has both an IPv4 address issued by DHCP with valid (trusted) DNS settings, if it also has an IPv6 address and the local profile states that both IPv4 and IPv6 can be used to establish a tunnel, then (in my head anyway!) it's making an attempt to connect via IPv6 (even though it's only a self assigned link-local address)

As soon as I disabled IPv6 on the WiFi NIC then the issue disappeared.

I should also add that the client was also connected via Ethernet, the Ethernet also had a corporate IP and trusted DNS entries.

PM sent with the Anyconnect eventviewer logs, thank you!