Troubleshooting The CiscoVPN
- 1 Overview
- 2 DNS
- 2.1 DNS and Routing
- 2.2 Network DNS settings
- 3 System Software
- 4 Systems With Docker Installed
- 5 MacOS Systems
- 6 Additional Troubleshooting for Visiting Student Accounts
- 7 How To Fix WSL2 and Cisco AnyConnect VPN Internet Issue
- 7.1 The Problem
- 7.2 The Solution
- 7.2.1 References
- 8 Using an Alternate Client
- 9 Additional Help
Overview
Cisco VPN is required to access Research Computing services, including the supercomputers.
Research Computing does not manage or maintain the CiscoVPN. It is maintained by the Enterprise Technology (ET) group. Below are some troubleshooting steps you can take. If none of these steps work, please reach out to ET for support.
DNS
DNS and Routing
First, ensure that you are connected to the VPN. Once you are connected, a small globe with a lock icon will appear. Hovering over it will display the "connected" status.
Next, it's important to ensure that the VPN routes have been properly added to the system's routing tables. From Windows, you can execute the following command:
route print | findstr 10.126.16.0
This should return a line, if it is blank, then the routes have not been loaded on your system. (note, this shows two lines but one line is ok)
Next, you may want to attempt to “ping” something on campus. You can try and ping the address: sol.asu.edu. This address is expected to return 10.139.120.2
ping sol.asu.edu
You may or may not receive a reply from the ping, but the address should be one of the 10.139.x.x addresses.
If you do not get this address (if you get a 206.207.50.x address) your DNS servers are not set up correctly.
If you are still having trouble you can check the DNS settings on your interface.
Network DNS settings
From the start menu, search for “Network status” which will bring you to this page.
Select the “change adapter options” and you will see this page
From here you will want to select the correct interface and go to properties. If you are on a laptop, this might be a wireless connection, on a desktop, this would probably be called ethernet 1 or ethernet 2
After going to properties, select Internet Protocol Version 4 and hit properties
While connected to the VPN, your DNS servers should be set like this
If they are not, you can manually set this address now. (when you are not connected to the VPN, you may want to make sure this is set to “Obtain DNS server automatically”)
System Software
If all of these steps fail, you will need to look at the different software packages installed on your machine. You may have a piece of software that is causing trouble. Other VPNs, Antivirus software, or DNS redirectors will all cause issues with the VPN. Please disable as many pieces of add-on software as you can to start narrowing down what could be causing the connection issue. If you are still having trouble, you will need to reach out to Enterprise Technology for assistance.
Systems With Docker Installed
If you are using the Cisco VPN, and have docker installed, docker's default IP addresses will overlap and cause issues. You must change the default networks for docker on the system otherwise the Cisco VPN routes will not work correctly.
You need to create a file "/etc/docker/daemon.json"
with the following ( pick a private IP range, typically 192.168.x.x or 198.x.x.x ) the size is the size of the networks out of the base that will be assigned to each bridge interface. In this example, there is a /15 netmask used as the base and smaller /24 networks will be created out of this.
{
"default-address-pools":
[
{"base":"198.19.0.0/15","size":24}
]
}
Then restart the docker service.
You may also need to run: docker network prune
MacOS Systems
The VPN Service is Unavailable
A common error on Mac OS systems is “Connect capability is unavailable because the VPN service is unavailable”
This is a known issue with the Cisco VPN on MacOS. Enterprise Technology (ET) has provided a patch for this, and it is available from ASU MyApps page under the heading “Is the SSL VPN failing to connect on your Mac?”
When using the patch from ET, you must right-click and select “Open” from the menu, otherwise an error will appear.
Alternatively, you can run the following commands on your Mac:
If prompted about blocked actions, click “Open System Settings”, and then “Allow” to allow the CiscoVPN to install the necessary network settings.
Then restart the Cisco VPN, and connect.
Uninstalling the VPN on MacOS
If you have to uninstall Cisco VPN, you will need to use the command line to remove it with the uninstall tool.
Disable IPv6 on MacOS
In the System Settings, search for “IPv6” and change the “Configure IPv6” option to “Manually”.
Additional Troubleshooting for Visiting Student Accounts
Make sure the visiting student is subscribed to the VPN service by visiting selfsub.asu.edu and confirming that Secured network access (Cisco/Perfigo) is enabled. Subscribing at the bottom of the page may be necessary.
Once subscribed, users should visit sslvpn.asu.edu to log in and download/install the Cisco VPN client. If there's an existing download of the Cisco VPN, it may need to be deleted and then re-installed. After installing the client, you can access sslvpn.asu.edu/2FA for the address and will be prompted to log in.
The login process will prompt you to enter your ASURITE as the username, followed by your ASURITE password. Additionally, you will be required to input a “second password” This is a 2FA code for Duo Two-Factor authentication. For this, simply type "push" to receive a push notification, select "phone" for a call, or enter a passcode from the app or text.
How To Fix WSL2 and Cisco AnyConnect VPN Internet Issue
The Problem
On WSL2, running 'sudo apt update' will fail when connected to Cisco Anyconnect VPN, but without the VPN, it works perfectly. The issue arises from WSL's inability to resolve DNS while connected to Anyconnect.
The Solution
Connect to the Cisco Anyconnect VPN first, then open Powershell as an Administrator and execute the following commands to retrieve all available DNS/nameservers. Make sure to take note of the DNS/nameservers for future reference.
Then, on the same PowerShell, run the following command. This will retrieve the search domain that you will need later, along with the aforementioned nameservers.
Open Windows Subsystem for Linux (WSL) and execute the following commands.
Outside of WSL, change the Cisco Anyconnect metric from the default value of 1 to 6000 using PowerShell.
Restart WSL2 within the same elevated PowerShell session, and then you should be able to open WSL2 and establish an internet connection.
References
WSL2 , problem with network connection when VPN used (PulseSecure) · Issue #5068 · microsoft/WSL wsl 2 ubuntu 18.04 unable to connect to IP resources with Cisco Annyconnect active · Issue #4277 · microsoft/WSL
Using an Alternate Client
Openconnect on Ubuntu23
Step #1: Open the terminal and enter the following command to install the OpenConnect network manager:
Step #2: Click on the Network icon in the top corner, and then click the settings gear to open the network settings. Then click the “+” sign next to VPN.
Step #3: Select Multi-protocol VPN client (openconnect).
Step #4: Enter the following info:
Step #5: Click on IPv6 and select Disable. Then click “Add” on the top right side.
Step #6: Your VPN profile has been created. Turn on its switch to connect to the VPN.
Step #8: Enter your ASURITE in the Username box, put your ASURITE password in the first password box, and then the second password box would be your DUO method, for example. “push” for a push notification to your device. Once these have been entered, click on “Login”.
Openconnect on MacOS
Install Homebrew
Open a terminal window and install Openconnect and Openconnect-GUI via homebrew
Run Openconnect-GUI (you will need to right-click on the icon and choose open the first time you launch it)
- Click on the Gear icon and choose New Profile (advanced)
Enter the following:
Name: ASU Cisco VPN
Gateway: sslvpn.asu.edu
Username: yourasurite
Click Save
Click Connect
The first time you try to connect it will pop up this window.
Click Accurate Information
Click Connect again, the first Password Dialog is your ASURITE Password
Click OK, the second Password is your preferred 2 factor authentication method, i.e. Push, Phone
On successful login the Lock icon will turn Green.
Additional Help