Troubleshooting The CiscoVPN
- achiquet
- Josh Burks
- Johnathan Lee
- 1 Overview
- 2 DNS
- 2.1 DNS and Routing
- 2.2 Network DNS settings
- 3 System Software
- 4 Systems With Docker Installed
- 5 MacOS Systems
- 6 Ubuntu Systems
- 7 Additional Troubleshooting for Visiting Student Accounts
- 8 How To Fix WSL2 and Cisco AnyConnect VPN Internet Issue
- 8.1 The Problem
- 8.2 The Solution
- 8.2.1 References
- 9 Additional Help
Overview
Cisco VPN is required to access Research Computing services, including the supercomputers.
Research Computing does not manage or maintain the CiscoVPN. It is maintained by the Enterprise Technology (ET) group. Below are some troubleshooting steps you can take. If none of these steps work, please reach out to ET for support.
Important Update – February 7, 2025
On Friday, February 7, 2025, Enterprise Technology implemented a change to the Cisco VPN service to enhance the sign-in experience.
This update has caused compatibility issues with alternate VPN clients such as OpenConnect. Users attempting to connect via OpenConnect may encounter authentication or connection errors.
To ensure a smooth and reliable VPN connection, we strongly recommend using the official Cisco VPN client, which can be obtained from: https://sslvpn.asu.edu
MacOS Users - See This Section
Ubuntu Users - See This Section
DNS
DNS and Routing
First, ensure that you are connected to the VPN. Once you are connected, a small globe with a lock icon will appear. Hovering over it will display the "connected" status.
Next, it's important to ensure that the VPN routes have been properly added to the system's routing tables. From Windows, you can execute the following command:
route print | findstr 10.126.16.0
This should return a line, if it is blank, then the routes have not been loaded on your system. (note, this shows two lines but one line is ok)
Next, you may want to attempt to “ping” something on campus. You can try and ping the address: sol.asu.edu. This address is expected to return 10.139.120.2
ping sol.asu.edu
You may or may not receive a reply from the ping, but the address should be one of the 10.139.x.x addresses.
If you do not get this address (if you get a 206.207.50.x address) your DNS servers are not set up correctly.
If you are still having trouble you can check the DNS settings on your interface.
Network DNS settings
From the start menu, search for “Network status” which will bring you to this page.
Select the “change adapter options” and you will see this page
From here you will want to select the correct interface and go to properties. If you are on a laptop, this might be a wireless connection, on a desktop, this would probably be called ethernet 1 or ethernet 2
After going to properties, select Internet Protocol Version 4 and hit properties
While connected to the VPN, your DNS servers should be set like this
If they are not, you can manually set this address now. (when you are not connected to the VPN, you may want to make sure this is set to “Obtain DNS server automatically”)
System Software
If all of these steps fail, you will need to look at the different software packages installed on your machine. You may have a piece of software that is causing trouble. Other VPNs, Antivirus software, or DNS redirectors will all cause issues with the VPN. Please disable as many pieces of add-on software as you can to start narrowing down what could be causing the connection issue. If you are still having trouble, you will need to reach out to Enterprise Technology for assistance.
Systems With Docker Installed
If you are using the Cisco VPN, and have docker installed, docker's default IP addresses will overlap and cause issues. You must change the default networks for docker on the system otherwise the Cisco VPN routes will not work correctly.
You need to create a file "/etc/docker/daemon.json" with the following ( pick a private IP range, typically 192.168.x.x or 198.x.x.x ) the size is the size of the networks out of the base that will be assigned to each bridge interface. In this example, there is a /15 netmask used as the base and smaller /24 networks will be created out of this.
{
"default-address-pools":
[
{"base":"198.19.0.0/15","size":24}
]
}Then restart the docker service.
You may also need to run: docker network prune
MacOS Systems
The VPN Service is Unavailable
A common error on Mac OS systems is “Connect capability is unavailable because the VPN service is unavailable”
This is a known issue with the Cisco VPN on MacOS. Enterprise Technology (ET) has provided a patch for this, and it is available from ASU MyApps page under the heading “Is the SSL VPN failing to connect on your Mac?”
When using the patch from ET, you must right-click and select “Open” from the menu, otherwise an error will appear.
Alternatively, you can run the following commands on your Mac:
If prompted about blocked actions, click “Open System Settings”, and then “Allow” to allow the CiscoVPN to install the necessary network settings.
Then restart the Cisco VPN, and connect.
Uninstalling the VPN on MacOS
If you have to uninstall Cisco VPN, you will need to use the command line to remove it with the uninstall tool.
Disable IPv6 on MacOS
In the System Settings, search for “IPv6” and change the “Configure IPv6” option to “Manually”.
Ubuntu Systems
Missing Required Libraries
On newer Ubuntu systems, the default installation of Ubuntu and the CiscoVPN client does not include the necessary libraries required for successful VPN connections. When attempting to connect to the VPN, you may encounter the following error:
To resolve this issue, install the missing webkit2gtk library from the Jammy repository by running the following commands:
Once installed, restart the CiscoVPN client and attempt to connect again.
Additional Troubleshooting for Visiting Student Accounts
Make sure the visiting student is subscribed to the VPN service by visiting selfsub.asu.edu and confirming that Secured network access (Cisco/Perfigo) is enabled. Subscribing at the bottom of the page may be necessary.
Once subscribed, users should visit sslvpn.asu.edu to log in and download/install the Cisco VPN client. If there's an existing download of the Cisco VPN, it may need to be deleted and then re-installed. After installing the client, you can access sslvpn.asu.edu/2FA for the address and will be prompted to log in.
The login process will prompt you to enter your ASURITE as the username, followed by your ASURITE password. Additionally, you will be required to input a “second password” This is a 2FA code for Duo Two-Factor authentication. For this, simply type "push" to receive a push notification, select "phone" for a call, or enter a passcode from the app or text.
How To Fix WSL2 and Cisco AnyConnect VPN Internet Issue
The Problem
On WSL2, running 'sudo apt update' will fail when connected to Cisco Anyconnect VPN, but without the VPN, it works perfectly. The issue arises from WSL's inability to resolve DNS while connected to Anyconnect.
The Solution
Connect to the Cisco Anyconnect VPN first, then open Powershell as an Administrator and execute the following commands to retrieve all available DNS/nameservers. Make sure to take note of the DNS/nameservers for future reference.
Then, on the same PowerShell, run the following command. This will retrieve the search domain that you will need later, along with the aforementioned nameservers.
Open Windows Subsystem for Linux (WSL) and execute the following commands.
Outside of WSL, change the Cisco Anyconnect metric from the default value of 1 to 6000 using PowerShell.
Restart WSL2 within the same elevated PowerShell session, and then you should be able to open WSL2 and establish an internet connection.
References
WSL2 , problem with network connection when VPN used (PulseSecure) · Issue #5068 · microsoft/WSL wsl 2 ubuntu 18.04 unable to connect to IP resources with Cisco Annyconnect active · Issue #4277 · microsoft/WSL
Additional Help