Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1398
Views
5
Helpful
2
Replies

Strange AnyConnect IPv6 interferring with IPv4 scenario

Go to solution
JG1978
Level 1
Level 1

‎10-27-2014 09:39 AM - edited ‎02-21-2020 07:54 PM

I ran across this scenario last week and I am not sure if I am missing something simple or if this is a real issue.

Problem: It appears IP6 may interfere with IP4 VPN connections.

My network is a large state-wide network which touches many other state agencies (usually by having firewall's in between us and having them VPN into the outside of our firewall). Last week I configured a new VPN connection for one of these agencies and had them connect. The VPN configuration is a split-tunnel scenario where they use the VPN tunnel for a specific application and all other traffic stays local.

During testing I noticed the user could reach some of their local resources but not all of them. After some basic troubleshooting we determined that anytime the user tried to reach a local resource that had IP6 capability (please note, IP6 was not actually configured, just baked into the OS) they were not able to access said resource. They could however reach IP4 resources with no problems. IP6 was "unchecked" in the NIC on both client and server resources. Another IT resource has told me that IP6 is unable to be shut off in 2008 and newer because microsoft has tied many OS services and features into it.

Simple ping tests proved that when the user was trying to reach resources with IP6 "built in" all traffic was trying to use IP6 by default (unless we used the -4 switch to force IP4). The command prompt window would show a "general failure" when trying to ping any of these IP6 resources.

I was able to replicate this problem in another environment where a VPN user connects, tries to ping several Domain controllers and the ones that are 2008 and newer try to respond over IP6 while older boxes respond over IP4. Needless to say I am getting nervous because this could break a ton of services if/when the older Domain controllers are upgraded.

Does anyone have any experience with this? I am concerned that IP6 is the "default" protocol even when it is not configured and this is causing users connected with Any Connect to be unable to access those resources even though they are running IP4 as well.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gmischler
Level 1
Level 1

‎11-17-2014 02:33 PM

it looks like when you prefer IPv4 to IPv6 in Windows 2008 or Windows 8 and reboot you fix the problem.

Thanks

 

View solution in original post

2 Replies 2

Go to solution
gmischler
Level 1
Level 1

‎11-17-2014 02:33 PM

it looks like when you prefer IPv4 to IPv6 in Windows 2008 or Windows 8 and reboot you fix the problem.

Thanks

 

Go to solution
PF51679
Level 1
Level 1
In response to gmischler

‎03-23-2021 01:44 PM

What does this mean?

0 Helpful
Customers Also Viewed These Support Documents