Versions Compared

Version Old Version 2 New Version Current
Changes made by

achiquet

tianche5

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel6
outlinefalse
typelist
separatorbrackets
printablefalse

Overview

Troubleshoot browser extension and VPN client settings.

Troubleshooting the Web Portal

If you are having trouble with the interactive sessions disappearing after trying to launch a new session, please ensure that any AD blocker or privacy filters have been disabled for the web portal URLs.

Web browser plugin examples:

  • Privacy Badger

  • Avast

  • Ublock Origins

  • AdBlock

  • AdGuard

Cisco VPN is required to access Research Computing services, including the supercomputers.

Research Computing does not manage or maintain the CiscoVPN. It is maintained by the Enterprise Technology (ET) group. Below are some troubleshooting steps you can take. If none of these steps work, please reach out to ET for support.

DNS

DNS and Routing

First you will want to verify , ensure that you are connected to the VPN. When you connect to the VPN, you will see a little Once you are connected, a small globe with a lock and when you hover icon will appear. Hovering over it , it will show connecteddisplay the "connected" status.

...

Next you will want to make sure , it's important to ensure that the VPN routes have been properly added to the systems system's routing tables. From windows Windows, you can run execute the following command:

Code Block
 route print | findstr 10.126.16.0

...

This should return a line, if it is blank, then the routes have not been loaded on your system. (note, this shows two lines but one line is ok)

Next, you will may want to attempt to try and ping “ping” something on campus, we can use login.rc.. You can try and ping the address: sol.asu.edu. This address should is expected to return 10.126139.17.237 or 10.126.17.238120.2

Code Block
ping login.rcsol.asu.edu

...

You may or may not receive a reply from the ping, but the address should be one of the 10.126139.x.x addresses.

If you do not get this address (if you get a 206.207.50.x address) your DNS servers are not setup set up correctly.

If you are still having trouble you can check the dns DNS settings on your interface.

Network DNS settings

From the start menu, search for “Network status” which will bring you to this page.

...

If they are not, you can manually set this address now. (when you are not connect connected to the VPN, you may want to make sure this is set to Obtain “Obtain DNS server automaticallyautomatically”)

System Software

If all of these steps fail, you will need to look at the different software packages installed on your machine. You may have a piece of software that is causing troublestrouble. Other VPN’sVPNs, Antivirus software, Anti Malware software, or DNS redirectors will all cause issues with the VPN. Please disable as many peoples pieces of add-on software as you can to start narrowing down what could be causing the connection issue. If you are still having trouble, please you will need to reach out to us at research computing or join us in office hours so we can do some additional troubleshootingEnterprise Technology for assistance.

Systems

...

With Docker

...

Installed

If you are using the cisco Cisco VPN, dockers and have docker installed, docker's default IP addresses will overlap and cause this issue, you issues. You must change the default networks for docker on the system otherwise the cisco Cisco VPN routes will not work correctly.

You need to create a file "/etc/docker/daemon.json”With json" with the following ( pick a private ip range  IP range, typically 192.168.x.x or 198.x.x.x  ) the size is the size of the networks out of the base that will be assigned to each bridge interface. In this example, there is a /15 netmask used as the base and smaller /24’s that 24 networks will be created out of this.  

Code Block
{

...


  "default-address-pools":

...


  [

...


    {"base":"198.19.0.0/15","size":24}

...


  ]

...


}

 

Then restart the docker service.

You may also need to run

“docker network prune”

...

: docker network prune

MacOS Systems

The VPN Service is Unavailable

A common error on Mac OS systems is “Connect capability is unavailable because the VPN service is unavailable”

...

This is a known issue with the Cisco VPN on MacOS. Enterprise Technology (ET) has provided a patch for this, and it is available from ASU MyApps page under the heading “Is the SSL VPN failing to connect on your Mac?”

Note

When using the patch from ET, you must right-click and select “Open” from the menu, otherwise an error will appear.

Alternatively, you can run the following commands on your Mac:

Code Block
sudo cp /opt/cisco/secureclient/bin/Cisco\ Secure\ Client\ -\ AnyConnect\ VPN\ Service.app/Contents/Resources/com.cisco.secureclient.vpnagentd.plist /Library/LaunchDaemons/

sudo launchctl bootstrap system /Library/LaunchDaemons/com.cisco.secureclient.vpnagentd.plist

If prompted about blocked actions, click “Open System Settings”, and then “Allow” to allow the CiscoVPN to install the necessary network settings.

Then restart the Cisco VPN, and connect.

Uninstalling the VPN on MacOS

If you have to uninstall Cisco VPN, you will need to use the command line to remove it with the uninstall tool.

Cisco Anyconnect Manual uninstall Mac OS - Community Contributions - Hermes

Additional troubleshooting for visiting student accounts

...

Code Block
sudo /opt/cisco/secureclient/bin/vpn_uninstall.sh

Disable IPv6 on MacOS

In the System Settings, search for “IPv6” and change the “Configure IPv6” option to “Manually”.

...

Additional Troubleshooting for Visiting Student Accounts

Make sure the visiting student is subscribed to the VPN service by visiting selfsub.asu.edu and ensuring confirming that Secured network access (Cisco/Perfigo) is active. They may need to subscribe to the service enabled. Subscribing at the bottom of the page may be necessary.

Once subscribed, they should be able to go to users should visit sslvpn.asu.edu, login, to log in and download/install the Cisco VPN client. Any If there's an existing download of the Cisco VPN, it may need to be deleted / and then re-installed (One student was able to get it to work by having both installed(!)).  Once you have . After installing the client installed, you 'll put in can access sslvpn.asu.edu/2FA for the address , and will be prompted to log in.

The login will ask for a username which will be your ASURITE, a password which will be process will prompt you to enter your ASURITE as the username, followed by your ASURITE password, and then a second password (which is not a password) which will be for the . Additionally, you will be required to input a “second password” This is a 2FA code for Duo Two-Factor authentication. Type For this, simply type "push" to receive a push notification, select "phone" to receive for a call, or enter a passcode from the app or text.Another student found success deleting and then re-installing the DUO app

How

...

To Fix WSL2 and Cisco AnyConnect VPN

...

Internet Issue

The

...

Problem

Code Block
Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://security.ubuntu.com/ubuntu focal-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  Temporary failure   resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Temporary   failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease    Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease    Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

On wsl2 WSL2, running 'sudo apt update' will fail when connected to Cisco Anyconnect VPN, but without vpn the VPN, it works fineperfectly. The problem is when you are connected to anyconnect, wsl fails to resolve the DNSissue arises from WSL's inability to resolve DNS while connected to Anyconnect.

The

...

Solution

  1. Connect to the Cisco Anyconnect VPN first, then open up powershell Powershell as Admin an Administrator and run execute the following commands to get the retrieve all the available DNS/nameservers. Take Make sure to take note of the DNS/namservers will need laternameservers for future reference.

Code Block
Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object -ExpandProperty ServerAddresses

  1. Then, on the same powershell PowerShell, run the following command. This will get retrieve the search domain that you will need later on , along with the aforementioned nameservers above.

Code Block
Get-DnsClientGlobalSetting | Select-Object -ExpandProperty SuffixSearchList

  1. Open up wsl, and run Windows Subsystem for Linux (WSL) and execute the following commands.

Code Block
sudo unlink /etc/resolv.conf # this will unlink the default wsl2 resolv.conf

# This config will prevent wsl2 from overwritting the resolve.conf file everytime
# you start wsl2
cat <<EOF | sudo tee -a /etc/wsl.conf
[network]
generateResolvConf = false
EOF

cat <<EOF | sudo tee -a /etc/resolv.conf
nameserver 10.50... # The company DNS/nameserver from the command in step 1
nameserver 10.50... # The company DNS/nameserver from the command in step 1
nameserver 8.8.8.8
nameserver 8.8.4.4
search this.searchdomain.com # The search domain that we got from step 2
EOF

  1. Change Outside of WSL, change the Cisco Anyconnect metric from the default value of 1 to 6000 inside powershellusing PowerShell.

Code Block
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

  1. Restart wsl2 on WSL2 within the same elevated powershellPowerShell session, and then you can open up wsl2 and it should connect to the internetshould be able to open WSL2 and establish an internet connection.

Code Block
Restart-Service LxssManager

References

WSL2 , problem with network connection when VPN used (PulseSecure) · Issue #5068 · microsoft/WSL wsl 2 ubuntu 18.04 unable to connect to IP resources with Cisco Annyconnect active · Issue #4277 · microsoft/WSL

Using an

...

Alternate Client

Openconnect on Ubuntu23

 

Step #1: Open the terminal and enter the following command to install the OpenConnect network manager:

...

Step #8: Enter your ASURITE in the Username box, put your ASURITE password in the first password box, and then the second password box would be your DUO method, for example. “push” for a push notification to your device. Once these have been entered, click on “Login”.

...

Openconnect on MacOS

...

  1. Install Homebrew

Homebrew

...

  1. Open a terminal window and install Openconnect and Openconnect-GUI via homebrew

Code Block
brew install openconnect openconnect-gui

...

  1. Run Openconnect-GUI (you will need to right-click on the icon and choose open the first time you launch it)

...

  1. - Click on the Gear icon and choose New Profile (advanced)

...

 Enter  Enter the following:

Name: ASU Cisco VPN

Gateway: sslvpn.asu.edu

Username: yourasurite

Click Save

Click Connect

 

...

The first time you try to connect it will pop up this window.

...

 

  1. Click Accurate Information

  2. Click Connect again, the first Password Dialog is your ASURITE Password

...

  1. Click OK, the second Password is your preferred 2 factor authentication method, i.e. Push, Phone

On successful login the Lock icon will turn Green.

...

 

 Additional Help

...

Additional Help 
Insert excerpt
Contact RC Support excerpt
Contact RC Support excerpt
nameContact RC Support
nopaneltrue