Re: VPN drops Internet connectivity - Page 5

chris.bias · ‎03-10-2022

I connect to the Cisco AnyConnect VPN and it drops the internet connection. Below is the IPConfig and print route outputs from the command line prompt:

C:\WINDOWS\system32>route print
===========================================================================
Interface List
12...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
17...c0 25 a5 65 bc 16 ......Intel(R) Ethernet Connection (13) I219-V
20...d6 1b 81 c8 e4 ef ......Microsoft Wi-Fi Direct Virtual Adapter #3
15...e6 1b 81 c8 e4 ef ......Microsoft Wi-Fi Direct Virtual Adapter #4
21...c0 25 a5 65 bc 17 ......Realtek USB GbE Family Controller #2
27...d4 1b 81 c8 e4 ef ......Qualcomm QCA61x4A 802.11ac Wireless Adapter
4...d4 1b 81 c8 e4 f0 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
28...00 15 5d 77 f6 08 ......Hyper-V Virtual Ethernet Adapter
33...00 15 5d 34 b8 e2 ......Hyper-V Virtual Ethernet Adapter #2
65...00 15 5d 7e 4a 60 ......Hyper-V Virtual Ethernet Adapter #3
79...00 15 5d de c3 38 ......Hyper-V Virtual Ethernet Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.22.45.1 172.22.45.143 291
0.0.0.0 0.0.0.0 192.168.15.1 192.168.15.10 2
12.190.110.211 255.255.255.255 172.22.45.1 172.22.45.143 36
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.17.48.0 255.255.240.0 On-link 172.17.48.1 5256
172.17.48.0 255.255.240.0 192.168.15.1 192.168.15.10 2
172.17.48.1 255.255.255.255 On-link 172.17.48.1 5256
172.17.63.255 255.255.255.255 On-link 172.17.48.1 5256
172.22.45.0 255.255.255.0 On-link 172.22.45.143 291
172.22.45.0 255.255.255.0 192.168.15.1 192.168.15.10 2
172.22.45.143 255.255.255.255 On-link 172.22.45.143 291
172.22.45.255 255.255.255.255 On-link 172.22.45.143 291
172.25.16.1 255.255.255.255 On-link 172.25.16.1 5256
172.30.64.0 255.255.240.0 On-link 172.30.64.1 5256
172.30.64.0 255.255.240.0 192.168.15.1 192.168.15.10 2
172.30.64.1 255.255.255.255 On-link 172.30.64.1 5256
172.30.79.255 255.255.255.255 On-link 172.30.64.1 5256
192.168.15.0 255.255.255.0 On-link 192.168.15.10 257
192.168.15.10 255.255.255.255 On-link 192.168.15.10 257
192.168.15.255 255.255.255.255 On-link 192.168.15.10 257
192.168.16.0 255.255.240.0 On-link 192.168.16.1 5256
192.168.16.0 255.255.240.0 192.168.15.1 192.168.15.10 2
192.168.16.1 255.255.255.255 On-link 192.168.16.1 5256
192.168.31.255 255.255.255.255 On-link 192.168.16.1 5256
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 172.22.45.143 291
224.0.0.0 240.0.0.0 On-link 172.17.48.1 5256
224.0.0.0 240.0.0.0 On-link 192.168.16.1 5256
224.0.0.0 240.0.0.0 On-link 172.30.64.1 5256
224.0.0.0 240.0.0.0 On-link 192.168.15.10 257
224.0.0.0 240.0.0.0 On-link 172.25.16.1 5256
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 172.22.45.143 291
255.255.255.255 255.255.255.255 On-link 172.17.48.1 5256
255.255.255.255 255.255.255.255 On-link 192.168.16.1 5256
255.255.255.255 255.255.255.255 On-link 172.30.64.1 5256
255.255.255.255 255.255.255.255 On-link 192.168.15.10 257
255.255.255.255 255.255.255.255 On-link 172.25.16.1 5256
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.22.45.1 Default
0.0.0.0 0.0.0.0 172.22.45.13 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 36 ::/0 On-link
1 331 ::1/128 On-link
12 291 fe80::/64 On-link
21 291 fe80::1541:c9f1:8b73:32b6/128
On-link
28 5256 fe80::3c54:a176:7515:eda5/128
On-link
33 5256 fe80::5408:ef8f:c661:b872/128
On-link
65 5256 fe80::6493:7358:8661:4198/128
On-link
12 291 fe80::6b06:6381:5d0b:2c5c/126
On-link
12 291 fe80::6b06:6381:5d0b:2c5d/128
On-link
12 291 fe80::75e2:8cab:f2d5:bef6/128
On-link
79 5256 fe80::c156:5741:8f9c:575/128
On-link
1 331 ff00::/8 On-link
21 291 ff00::/8 On-link
28 5256 ff00::/8 On-link
33 5256 ff00::/8 On-link
65 5256 ff00::/8 On-link
79 5256 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

C:\WINDOWS\system32>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . :
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . :

Ethernet adapter Ethernet 4:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::6b06:6381:5d0b:2c5d%12(Preferred)
Link-local IPv6 Address . . . . . : fe80::75e2:8cab:f2d5:bef6%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.15.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : ::
192.168.15.1
DHCPv6 IAID . . . . . . . . . . . : 1241515418
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-86-5A-67-C0-25-A5-65-BC-16
DNS Servers . . . . . . . . . . . : 172.22.45.115
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection (13) I219-V
Physical Address. . . . . . . . . : C0-25-A5-65-BC-16
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #3
Physical Address. . . . . . . . . : D6-1B-81-C8-E4-EF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #4
Physical Address. . . . . . . . . : E6-1B-81-C8-E4-EF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek USB GbE Family Controller #2
Physical Address. . . . . . . . . : C0-25-A5-65-BC-17
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1541:c9f1:8b73:32b6%21(Preferred)
IPv4 Address. . . . . . . . . . . : 172.22.45.143(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.22.45.1
DHCPv6 IAID . . . . . . . . . . . : 717235621
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-86-5A-67-C0-25-A5-65-BC-16
DNS Servers . . . . . . . . . . . : 172.22.45.115
172.22.45.116
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.la.comcast.net
Description . . . . . . . . . . . : Qualcomm QCA61x4A 802.11ac Wireless Adapter
Physical Address. . . . . . . . . : D4-1B-81-C8-E4-EF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : D4-1B-81-C8-E4-F0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter vEthernet (Ethernet):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-15-5D-77-F6-08
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3c54:a176:7515:eda5%28(Preferred)
IPv4 Address. . . . . . . . . . . : 172.17.48.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 469767517
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-86-5A-67-C0-25-A5-65-BC-16
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (Ethernet 3):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-34-B8-E2
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5408:ef8f:c661:b872%33(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.16.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 553653597
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-86-5A-67-C0-25-A5-65-BC-16
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (Wi-Fi):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-7E-4A-60
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::6493:7358:8661:4198%65(Preferred)
IPv4 Address. . . . . . . . . . . : 172.30.64.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 1090524509
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-86-5A-67-C0-25-A5-65-BC-16
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (Ethernet 4):

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #4
Physical Address. . . . . . . . . : 00-15-5D-DE-C3-38
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c156:5741:8f9c:575%79(Preferred)
IPv4 Address. . . . . . . . . . . : 172.25.16.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 1325405533
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-86-5A-67-C0-25-A5-65-BC-16
NetBIOS over Tcpip. . . . . . . . : Enabled

C:\WINDOWS\system32>

MHM Cisco World · ‎03-23-2022

...

chris.bias · ‎03-24-2022

@MHM Cisco Worldand @Rob Ingram something like this?

permit udp host 172.22.45.13 eq domain any

MHM Cisco World · ‎03-24-2022

access-list acl_inside_out extended permit udp <Anyconnect Pool Subnet> object-group dns_internal
!
access-list acl_inside extended permit udp object-group dns_internal <Anyconnect Pool Subnet>

I remove the eq domain in case that the DNS use different port or return traffic may deny by ACL.

hope this end of this issue.
add this ACL and try ping google.com

Note:- if it not work later you need to remove this ACL.

chris.bias · ‎03-29-2022

@MHM Cisco World and @Rob Ingram Unfortunately that didn't work either.

MHM Cisco World · ‎03-29-2022

Do you ping google.com and success ?

chris.bias · ‎03-29-2022

@MHM Cisco World and @Rob Ingram correct could not ping it. It still disconnect the internet.

MHM Cisco World · ‎03-29-2022

can I see the output form the ping ?

for your inside domain use your inside DNS server
for your internet use 8.8.8.8 DNS server
so it suggestion can you add another 8.8.8.8 server to your inside DNS server ?

chris.bias · ‎03-29-2022

@MHM Cisco Worldand @Rob Ingram see the attached.

MHM Cisco World · ‎03-29-2022

Ping google.com
does google.com resolve to 8.8.8.8 ?

chris.bias · ‎03-29-2022

@MHM Cisco World and @Rob Ingram As you can see in the screenshot yes I tried pinging both google.com and 8.8.8.8 with failure.

chris.bias · ‎03-16-2022

@Rob Ingram So I connected one of the devices and got a different result:

login as: cbias
Pre-authentication banner message from server:
| ^"Warning: This is a Private Network. Any UNAUTHORIZED ACCESS TO THE SYSTEM I
> S STRICTLY PROHIBITED. If you are not authorized, logoff now. All activites a
> re logged and violators will be prosecuted." ^
End of banner message from server
cbias@172.22.45.13's password:
User cbias logged in to vpn
Logins over the last 49 days: 20. Last login: 13:29:03 CDT Mar 16 2022 from 172.22.45.143
Failed logins since the last login: 1. Last failed login: 15:31:23 CDT Mar 16 2022 from 172.22.45.143
Type help or '?' for a list of available commands.
vpn> en
Password: **************
vpn#
vpn#
vpn#

^
ERROR: % Invalid input detected at '^' marker.
vpn# packet-tracer input outside tcp 192.168.15.10 3000 8.8.8.8 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 12.190.110.209 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_outside in interface outside
access-list acl_outside extended permit object-group DM_INLINE_SERVICE_1 object vpn-pool any4
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
service-object icmp6 echo
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object udp destination eq domain
service-object udp destination eq echo
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
Additional Information:
Static translate 192.168.15.10/3000 to 76.107.0.220/3000

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000563eabca3a57 flow (svc-spoof-detect)/snp_sp_action_cb:1802

vpn#

MHM Cisco World · ‎03-16-2022

..

MHM Cisco World · ‎03-16-2022

...

MHM Cisco World · ‎03-16-2022

...

MHM Cisco World · ‎03-29-2022

..