Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4772
Views
57
Helpful
12
Replies

No connection to some websites after disconnecting AnyConnect

Go to solution
wulle
Level 1
Level 1

‎02-21-2022 11:09 PM - edited ‎02-21-2022 11:18 PM

I am currently working extensively with Webex and AnyConnect (provided by my University) on my Laptop running Fedora 35.

As I have severe connection problems with Webex (as I have already asked here) if I am not in the universities network, I have to connect via VPN. This resolves the connection issues. However, if I disconnect the VPN, I have no connection to all university related domains anymore (all other websites work as before). It can be only resolved by rebooting.

If you can tell me which logs or configurations could be helpful for you in order to find the reason for this weird behavior, I would be happy do add them!

 

Thanks in advance!

 

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions
12 Replies 12

Go to solution
MHM Cisco World
VIP
VIP

‎02-21-2022 11:37 PM

From first review dns is issue,

When anyconnect vpn connect the pc use dns server provide by anyconnect, when it not connect the pc still use invalid dns.

See if the dns is same for both case "anyconnect is connect and disconnect"

Go to solution
wulle
Level 1
Level 1
In response to MHM Cisco World

‎02-22-2022 12:17 AM

Thank you @MHM Cisco World for your reply.

I had a look at the output of `resolvectl status`. Before Anyconnect is connected I get the following configuration:

Global
       Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
[...]

After connecting:

Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: foreign
Current DNS Server: 129.69.252.252
       DNS Servers: 129.69.252.252 129.69.252.202 2001:7c0:7c0:252::252
        DNS Domain: speedport.ip uni-stuttgart.de

[...]

Link 8 (cscotun0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

And after disconnecting again:

Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 129.69.252.252
       DNS Servers: 129.69.252.252 129.69.252.202 2001:7c0:7c0:252::252
        DNS Domain: speedport.ip uni-stuttgart.de

Additionaly, here is the output of nslookup before connecting, when connected and after disconnecting:

nslookup uni-stuttgart.de
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	uni-stuttgart.de
Address: 129.69.5.3
Name:	uni-stuttgart.de
Address: 2001:7c0:7c0:5::cafe
nslookup uni-stuttgart.de
Server:		129.69.252.252
Address:	129.69.252.252#53

Non-authoritative answer:
Name:	uni-stuttgart.de
Address: 129.69.5.3
Name:	uni-stuttgart.de
Address: 2001:7c0:7c0:5::cafe
nslookup uni-stuttgart.de
;; connection timed out; no servers could be reached

 

 

As I understand, after disconnecting, the configuration of the DNS Servers is not fully reset, am I correct? Unfortunately, how to fix such problems and where to start in the first place is beyond my knowledge.

I would be glad to hear your feedback!

 

0 Helpful

Go to solution
Igor Lukic
Spotlight
Spotlight
In response to wulle

‎02-22-2022 02:04 AM

Hi @wulle,

 

in my opinion your understanding is correct, it seems that after disconnective the local DNS configuration on your PC is not reverted back to the previous values.

 The fact that a reboot also helps to resolve this is another hint that it might be a problem with the Anyconnect configuration.

 

Since you state that other web sites are reachable, while Webex is not, it sounds like that for certain domains, such as *.webex.com, Anyconnect forces the DNS resolution to be done via the university's DNS servers (which might be reachable without VPN).

 

Unfortunately I am not an Anyconnect expert, but you might want to reach out to the university's IT department and check with them. Maybe it is a know issue to them.

 

Best regards,

Igor

Go to solution
wulle
Level 1
Level 1
In response to Igor Lukic

‎02-22-2022 02:41 AM

Hi @Igor Lukic and thanks for your reply!

The problem after disconnecting actually appears with the domain unistuttgart.webex.com and all *.uni-stuttgart.de domains. I would not even have to use the VPN if I could access the unistuttgart.webex.com domain in a reliable manner. The DNS-Lookup to this page always times out (or takes a very long time):

 

nslookup unistuttgart.webex.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
unistuttgart.webex.com	canonical name = nebulaag.webex.com.
nebulaag.webex.com	canonical name = global-nebulaag.webex.com.
Name:	global-nebulaag.webex.com
Address: 170.72.18.7
;; connection timed out; no servers could be reached

This should actually be no problem with my universities servers, or am I wrong?

 

 

I have been in contact with the IT support as well. They state the following (translated):

The behavior of the error sounds very much like the routes to the university are selectively stuck. However, since we do not send dedicated university prefixes over the VPN to the clients, this would be a special configuration that you have built yourself (perhaps to keep only the university permanently connected through the VPN without sending the Internet through the VPN tunnel as well?) We intentionally do not offer this type of configuration.

So I am very confused at which end the problem originates. I am at least very confident that I have not made any manual configurations!

0 Helpful

Go to solution
Igor Lukic
Spotlight
Spotlight
In response to wulle

‎02-22-2022 03:05 AM

Hi @wulle,

 

thanks for your reply and additional feedback!

So looking at this, it seems that is not DNS related issue, as the Webex Site URL unistuttgart.webex.com is correctly resolved to  170.72.18.7, which is a Cisco Webex Public IP.

 

Based on the feedback of the IT department, it could be related to a routing issue. It would be good to know, how the routing configuration looks like before you connect via VPN, after you connect via VPN and after you disconnect.

 

If you are willing, you could issue the command "route" via CLI on your machine and send the output.

 

Another helpful information would be, when you are connected via AnyConnect and when you right-click on the AnyConnect logo, then on "Statistics", then on "Details".

In the Statistics tab take a look at the section "Connection Information" and look at the value for "Connection Mode (IPv4)" and "Connection Mode (IPv6)" -> this will tell you, how traffic is routed (e.g. a vlaue of Split Include would mean that certain networks are routed via the VPN connection, while others go directly over your internet access).

In the tab "Route Details" you can see which routes are "non-secured", which means that these networks can be reached directly, while the routes listed under "Secured Routes" are the networks that you can reach via the VPN.

 

Maybe after disconnecting the VPN connection, the routing configuration is not reverted back.

 

I have checked this on my Linux Mint machine (including AnyConnect) and everyhting works as expected, i.e. before connecting to the VPN, the default gateway for all networks is my home router. However, when connected via VPN, there a specific routes (networks), which are only reachable via the VPN. After disconnecting, everything is reverted back.

 

If you are willing to share the above information, I could take look into it. Feel free to send me a personal message, if you don't want to share it here.

 

Best regards,

Igor

Go to solution
wulle
Level 1
Level 1
In response to Igor Lukic

‎02-22-2022 03:35 AM

Hi @Igor Lukic,

thank you for your offer and your help. I have sent you a PN including all relevant information.

0 Helpful

Go to solution
Igor Lukic
Spotlight
Spotlight
In response to wulle

‎02-22-2022 04:09 AM

Hi @wulle,

 

thanks a lot! I will have look, but please consider @MHM Cisco World's post, maybe this will resolve your issue.

If not, please let us know.

 

Thanks and best regards,

Igor  

Go to solution
MHM Cisco World
VIP
VIP

‎02-22-2022 05:49 AM

https://www.reddit.com/r/Fedora/comments/p2rdi2/cisco_anyconnect_on_f34/
check this link try his way to solve the issue.
good Luck friend 

Go to solution
wulle
Level 1
Level 1
In response to MHM Cisco World

‎02-23-2022 02:42 AM

Thank you @MHM Cisco World,

after having a look at both of your provided links, I tried to connect with OpenConnect and indeed it works flawlessly even after disconnecting. This of course solves the issue for me as a user but does not fix the underlying problem with AnyConnect. Provided with some workarounds by @Igor Lukic (via PN) I was not able to fix the issue using AnyConnect either.

I will be happy to give you any further information but for now I think I will stay with OpenConnect.

In any way thank you both very much for your time and help!

Best Regards

wulle

0 Helpful

Go to solution
Igor Lukic
Spotlight
Spotlight

‎02-23-2022 02:54 AM

Hi @wulle,

 

glad to hear that you could resolve your issue!

Looking forward to hearing from you again.

 

Thanks a lot to @MHM Cisco World for sharing the two links.

 

Best regards,

Igor 

Go to solution
MHM Cisco World
VIP
VIP
In response to Igor Lukic

‎02-23-2022 06:10 AM

Thanks for your nice words Friend

0 Helpful
Customers Also Viewed These Support Documents