Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Overview

Troubleshoot VPN client settings.

DNS

DNS and Routing

First you will want to verify you are connected to the VPN. When you connect to the VPN, you will see a little globe with a lock and when you hover over it, it will show connected

Next you will want to make sure that the VPN routes have been added to the systems routing tables.

From windows you can run the following command

 route print | findstr 10.126.16.0

This should return a line, if it is blank, then the routes have not been loaded on your system. (note, this shows two lines but one line is ok)

Next you will want to try and ping something on campus, we can use login.rc.asu.edu. This address should return 10.126.17.237 or 10.126.17.238

ping login.rc.asu.edu

If you do not get a Reply, that is ok, but the address should be one of the 10.126.x.x addresses.

If you do not get this address (if you get a 206.207.50.x address) your DNS servers are not setup correctly.

If you are still having trouble you can check the dns settings on your interface.

Network DNS settings

From the start menu, search for “Network status” which will bring you to this page.

 

Select the “change adapter options” and you will see this page

From here you will want to select the correct interface and go to properties. If you are on a laptop, this might be a wireless connection, on a desktop, this would probably be called ethernet 1 or ethernet 2

After going to properties, select Internet Protocol Version 4 and hit properties

While connected to the VPN, your DNS servers should be set like this

If they are not, you can manually set this address now. (when you are not connect to the VPN, you may want to make sure this is set to Obtain DNS server automatically)

System Software

If all of these steps fail, you will need to look at the different software packages installed on your machine. You may have a piece of software that is causing troubles. Other VPN’s, Antivirus software, Anti Malware software, or DNS redirectors will all cause issues with the VPN. Please disable as many peoples of add on software as you can to start narrowing down what could be causing the connection issue. If you are still having trouble, please reach out to us at research computing or join us in office hours so we can do some additional troubleshooting.

Systems with Docker installed

If you are using the cisco VPN, dockers default IP addresses will overlap and cause this issue, you must change the default networks for docker on the system otherwise the cisco VPN routes will not work correctly. You need to create a file “/etc/docker/daemon.json”

With the following ( pick a private ip range  ) the size is the size of the networks out of the base that will be assigned to each bridge interface. In this example there is a /15 used as the base and smaller /24’s that will be created out of this.

 

{

  "default-address-pools":

  [

    {"base":"198.19.0.0/15","size":24}

  ]

}

 

Then restart the docker service.

You may also need to run

“docker network prune”

MacOS systems

If you have to uninstall Cisco VPN, need to use the command line to remove it with the uninstall tool.

Cisco Anyconnect Manual uninstall Mac OS - Community Contributions - Hermes

Additional troubleshooting for visiting student accounts

Make sure they are subscribed to the service by going to selfsub.asu.edu and ensuring that Secured network access (Cisco/Perfigo) is active. They may need to subscribe to the service at the bottom of the page.

Once subscribed, they should be able to go to sslvpn.asu.edu, login, and download/install the Cisco VPN client. Any existing download of Cisco VPN may need to be deleted/ re-installed (One student was able to get it to work by having both installed(!)).  Once you have the client installed, you'll put in sslvpn.asu.edu/2FA for the address, and be prompted to log in.

The login will ask for a username which will be your ASURITE, a password which will be your ASURITE password, and then a second password (which is not a password) which will be for the Duo Two-Factor authentication. Type "push" to receive a push, "phone" to receive a call, or enter a passcode from the app or text.

Another student found success deleting and then re-installing the DUO app

How to fix WSL2 and Cisco AnyConnect VPN internet issue

The problem

Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:2 http://security.ubuntu.com/ubuntu focal-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Err:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  Temporary failure   resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  Temporary   failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease    Temporary failure resolving 'archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease    Temporary failure resolving 'security.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

On wsl2 sudo apt update will fail when connected to Cisco Anyconnect VPN but without vpn it works fine. The problem is when you are connected to anyconnect, wsl fails to resolve the DNS.

The solution

  1. Connect Cisco Anyconnect VPN, then open up powershell as Admin and run the following commands to get the all the available DNS/nameservers. Take note of the DNS/namservers will need later.

Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object -ExpandProperty ServerAddresses

  1. Then on the same powershell run the following. This will get the search domain that will need later on with the nameservers above.

Get-DnsClientGlobalSetting | Select-Object -ExpandProperty SuffixSearchList

  1. Open up wsl, and run the following commands.

sudo unlink /etc/resolv.conf # this will unlink the default wsl2 resolv.conf

# This config will prevent wsl2 from overwritting the resolve.conf file everytime
# you start wsl2
cat <<EOF | sudo tee -a /etc/wsl.conf
[network]
generateResolvConf = false
EOF

cat <<EOF | sudo tee -a /etc/resolv.conf
nameserver 10.50... # The company DNS/nameserver from the command in step 1
nameserver 10.50... # The company DNS/nameserver from the command in step 1
nameserver 8.8.8.8
nameserver 8.8.4.4
search this.searchdomain.com # The search domain that we got from step 2
EOF

  1. Change Cisco Anyconnect metric from default 1 to 6000 inside powershell

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

  1. Restart wsl2 on the same elevated powershell, then you can open up wsl2 and it should connect to the internet.

Restart-Service LxssManager

References

WSL2 , problem with network connection when VPN used (PulseSecure) · Issue #5068 · microsoft/WSL wsl 2 ubuntu 18.04 unable to connect to IP resources with Cisco Annyconnect active · Issue #4277 · microsoft/WSL

Using an alternate client

Openconnect on Ubuntu23

 

Step #1: Open the terminal and enter the following command to install the OpenConnect network manager:

sudo apt-get install openconnect network-manager-openconnect network-manager-openconnect-gnome

 

Step #2: Click on the Network icon in the top corner, and then click the settings gear to open the network settings. Then click the “+” sign next to VPN.

 

Step #3: Select Multi-protocol VPN client (openconnect).

 

Step #4: Enter the following info:

 

Step #5: Click on IPv6 and select Disable. Then click “Add” on the top right side.

 

Step #6: Your VPN profile has been created. Turn on its switch to connect to the VPN.

 

Step #8: Enter your ASURITE in the Username box, put your ASURITE password in the first password box, and then the second password box would be your DUO method, for example. “push” for a push notification to your device. Once these have been entered, click on “Login”.

Openconnect on MacOS

Step #1 - Install Homebrew

Homebrew

Step #2 open a terminal window and install Openconnect and Openconnect-GUI via homebrew

brew install openconnect openconnect-gui

Step #3 - Run Openconnect-GUI (you will need to right click on the icon and choose open the first time you launch it)

Step #4 - Click on the Gear icon and choose New Profile (advanced)

 

Enter the following

Name: ASU Cisco VPN

Gateway: sslvpn.asu.edu

Username: yourasurite

Click Save

Click Connect

 

The first time you try to connect it will pop up this window.

 

Click Accurate Information

Click Connect again, the first Password Dialog is your ASURITE Password

Click OK, the second Password is your preferred 2 factor authentication method, i.e. Push, Phone

On successful login the Lock icon will turn Green.

 

 Additional Help

If you require further assistance on this topic, please don't hesitate to contact the Research Computing Team. To create a support ticket, kindly send an email to rtshelp@asu.edu. For quick inquiries, you're welcome to reach out via our #rc-support Slack Channel or attend our office hours for live assistance

  • No labels

Arizona State University