Troubleshooting CISCO VPN

Owned by Johnathan Lee
Last updated: Nov 07, 2023 by Alan Chapman
7 min read

Here are some steps you can take to troubleshoot your VPN connection.

DNS and Routing

First you will want to verify you are connected to the VPN. When you connect to the VPN, you will see a little globe with a lock and when you hover over it, it will show connected

Next you will want to make sure that the VPN routes have been added to the systems routing tables.

From windows you can run the following command

 route print | findstr 10.126.16.0

This should return a line, if it is blank, then the routes have not been loaded on your system. (note, this shows two lines but one line is ok)

Next you will want to try and ping something on campus, we can use login.rc.asu.edu. This address should return 10.126.17.237 or 10.126.17.238

ping login.rc.asu.edu

If you do not get a Reply, that is ok, but the address should be one of the 10.126.x.x addresses.

If you do not get this address (if you get a 206.207.50.x address) your DNS servers are not setup correctly.

If you are still having trouble you can check the dns settings on your interface.

 

Network DNS settings

From the start menu, search for “Network status” which will bring you to this page.

 

Select the “change adapter options” and you will see this page

From here you will want to select the correct interface and go to properties. If you are on a laptop, this might be a wireless connection, on a desktop, this would probably be called ethernet 1 or ethernet 2

After going to properties, select Internet Protocol Version 4 and hit properties

While connected to the VPN, your DNS servers should be set like this

If they are not, you can manually set this address now. (when you are not connect to the VPN, you may want to make sure this is set to Obtain DNS server automatically)

 

System Software

If all of these steps fail, you will need to look at the different software packages installed on your machine. You may have a piece of software that is causing troubles. Other VPN’s, Antivirus software, Anti Malware software, or DNS redirectors will all cause issues with the VPN. Please disable as many peoples of add on software as you can to start narrowing down what could be causing the connection issue. If you are still having trouble, please reach out to us at research computing or join us in office hours so we can do some additional troubleshooting.

 

Systems with Docker installed

If you are using the cisco VPN, dockers default IP addresses will overlap and cause this issue, you must change the default networks for docker on the system otherwise the cisco VPN routes will not work correctly. You need to create a file “/etc/docker/daemon.json”

 

With the following ( pick a private ip range  ) the size is the size of the networks out of the base that will be assigned to each bridge interface. In this example there is a /15 used as the base and smaller /24’s that will be created out of this.

 

{

  "default-address-pools":

  [

    {"base":"198.19.0.0/15","size":24}

  ]

}

 

Then restart the docker service.

You may also need to run

“docker network prune”

 

MacOS systems

 

If you have to uninstall Cisco VPN, need to use the command line to remove it with the uninstall tool.

http://kb.mit.edu/confluence/display/mitcontrib/Cisco+Anyconnect+Manual+uninstall+Mac+OS

 

Additional troubleshooting for visiting student accounts

Make sure they are subscribed to the service by going to selfsub.asu.edu and ensuring that Secured network access (Cisco/Perfigo) is active. They may need to subscribe to the service at the bottom of the page.

Once subscribed, they should be able to go to sslvpn.asu.edu, login, and download/install the Cisco VPN client. Any existing download of Cisco VPN may need to be deleted/ re-installed (One student was able to get it to work by having both installed(!)).  Once you have the client installed, you'll put in sslvpn.asu.edu/2FA for the address, and be prompted to log in.

The login will ask for a username which will be your ASURITE, a password which will be your ASURITE password, and then a second password (which is not a password) which will be for the Duo Two-Factor authentication. Type "push" to receive a push, "phone" to receive a call, or enter a passcode from the app or text.

Another student found success deleting and then re-installing the DUO app

 

How to fix WSL2 and Cisco Anyconnect VPN internet issue

The problem

Err:1 http://archive.ubuntu.com/ubuntu focal InRelease Temporary failure resolving 'archive.ubuntu.com' Err:2 http://security.ubuntu.com/ubuntu focal-security InRelease Temporary failure resolving 'security.ubuntu.com' Err:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease Temporary failure resolving 'archive.ubuntu.com' Err:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease Temporary failure resolving 'archive.ubuntu.com' Reading package lists... Done W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease Temporary failure resolving 'archive.ubuntu.com' W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease Temporary failure resolving 'archive.ubuntu.com' W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease Temporary failure resolving 'archive.ubuntu.com' W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease Temporary failure resolving 'security.ubuntu.com' W: Some index files failed to download. They have been ignored, or old ones used instead.

On wsl2 sudo apt update will fail when connected to Cisco Anyconnect VPN but without vpn it works fine. The problem is when you are connected to anyconnect, wsl fails to resolve the DNS.

The solution

  1. Connect Cisco Anyconnect VPN, then open up powershell as Admin and run the following commands to get the all the available DNS/nameservers. Take note of the DNS/namservers will need later.

  1. Then on the same powershell run the following. This will get the search domain that will need later on with the nameservers above.

  1. Open up wsl, and run the following commands.

  1. Change Cisco Anyconnect metric from default 1 to 6000 inside powershell

  1. Restart wsl2 on the same elevated powershell, then you can open up wsl2 and it should connect to the internet.

References

https://github.com/microsoft/WSL/issues/5068 https://github.com/microsoft/WSL/issues/4277

 

Using an alternate client

 

Openconnect on Ubuntu23

 

Step #1: Open the terminal and enter the following command to install the OpenConnect network manager:

 

Step #2: Click on the Network icon in the top corner, and then click the settings gear to open the network settings. Then click the “+” sign next to VPN.

 

Step #3: Select Multi-protocol VPN client (openconnect).

 

Step #4: Enter the following info:

 

Step #5: Click on IPv6 and select Disable. Then click “Add” on the top right side.

 

Step #6: Your VPN profile has been created. Turn on its switch to connect to the VPN.

 

Step #8: Enter your ASURITE in the Username box, put your ASURITE password in the first password box, and then the second password box would be your DUO method, for example. “push” for a push notification to your device. Once these have been entered, click on “Login”.

 

Openconnect on MacOS

Step #1 - Install Homebrew

Step #2 open a terminal window and install Openconnect and Openconnect-GUI via homebrew

Step #3 - Run Openconnect-GUI (you will need to right click on the icon and choose open the first time you launch it)

Step #4 - Click on the Gear icon and choose New Profile (advanced)

 

Enter the following

Name: ASU Cisco VPN

Gateway: sslvpn.asu.edu

Username: yourasurite

Click Save

Click Connect

 

The first time you try to connect it will pop up this window.

 

Click Accurate Information

Click Connect again, the first Password Dialog is your ASURITE Password

Click OK, the second Password is your preferred 2 factor authentication method, i.e. Push, Phone

On successful login the Lock icon will turn Green.

 

Arizona State University