Troubleshooting The CiscoVPN

Overview

Cisco VPN is required to access Research Computing services, including the supercomputers.

Research Computing does not manage or maintain the CiscoVPN. It is maintained by the Enterprise Technology (ET) group. Below are some troubleshooting steps you can take. If none of these steps work, please reach out to ET for support.

DNS

DNS and Routing

First, ensure that you are connected to the VPN. Once you are connected, a small globe with a lock icon will appear. Hovering over it will display the "connected" status.

Next, it's important to ensure that the VPN routes have been properly added to the system's routing tables. From Windows, you can execute the following command:

 route print | findstr 10.126.16.0

This should return a line, if it is blank, then the routes have not been loaded on your system. (note, this shows two lines but one line is ok)

Next, you may want to attempt to “ping” something on campus. You can try and ping the address: sol.asu.edu. This address is expected to return 10.139.120.2

ping sol.asu.edu

 

You may or may not receive a reply from the ping, but the address should be one of the 10.139.x.x addresses.

If you do not get this address (if you get a 206.207.50.x address) your DNS servers are not set up correctly.

If you are still having trouble you can check the DNS settings on your interface.

Network DNS settings

From the start menu, search for “Network status” which will bring you to this page.

 

Select the “change adapter options” and you will see this page

From here you will want to select the correct interface and go to properties. If you are on a laptop, this might be a wireless connection, on a desktop, this would probably be called ethernet 1 or ethernet 2

After going to properties, select Internet Protocol Version 4 and hit properties

While connected to the VPN, your DNS servers should be set like this

If they are not, you can manually set this address now. (when you are not connected to the VPN, you may want to make sure this is set to “Obtain DNS server automatically”)

System Software

If all of these steps fail, you will need to look at the different software packages installed on your machine. You may have a piece of software that is causing trouble. Other VPNs, Antivirus software, or DNS redirectors will all cause issues with the VPN. Please disable as many pieces of add-on software as you can to start narrowing down what could be causing the connection issue. If you are still having trouble, you will need to reach out to Enterprise Technology for assistance.

Systems With Docker Installed

If you are using the Cisco VPN, and have docker installed, docker's default IP addresses will overlap and cause issues. You must change the default networks for docker on the system otherwise the Cisco VPN routes will not work correctly.

You need to create a file "/etc/docker/daemon.json" with the following ( pick a private IP range, typically 192.168.x.x or 198.x.x.x  ) the size is the size of the networks out of the base that will be assigned to each bridge interface. In this example, there is a /15 netmask used as the base and smaller /24 networks will be created out of this. 

{   "default-address-pools":   [     {"base":"198.19.0.0/15","size":24}   ] }

Then restart the docker service.

You may also need to run: docker network prune

MacOS Systems

The VPN Service is Unavailable

A common error on Mac OS systems is “Connect capability is unavailable because the VPN service is unavailable”

This is a known issue with the Cisco VPN on MacOS. Enterprise Technology (ET) has provided a patch for this, and it is available from ASU MyApps page under the heading “Is the SSL VPN failing to connect on your Mac?”

When using the patch from ET, you must right-click and select “Open” from the menu, otherwise an error will appear.

Alternatively, you can run the following commands on your Mac:

If prompted about blocked actions, click “Open System Settings”, and then “Allow” to allow the CiscoVPN to install the necessary network settings.

Then restart the Cisco VPN, and connect.

 

Uninstalling the VPN on MacOS

If you have to uninstall Cisco VPN, you will need to use the command line to remove it with the uninstall tool.

Disable IPv6 on MacOS

In the System Settings, search for “IPv6” and change the “Configure IPv6” option to “Manually”.

 

Additional Troubleshooting for Visiting Student Accounts

Make sure the visiting student is subscribed to the VPN service by visiting selfsub.asu.edu and confirming that Secured network access (Cisco/Perfigo) is enabled. Subscribing at the bottom of the page may be necessary.

Once subscribed, users should visit sslvpn.asu.edu to log in and download/install the Cisco VPN client. If there's an existing download of the Cisco VPN, it may need to be deleted and then re-installed. After installing the client, you can access sslvpn.asu.edu/2FA for the address and will be prompted to log in.

The login process will prompt you to enter your ASURITE as the username, followed by your ASURITE password. Additionally, you will be required to input a “second password” This is a 2FA code for Duo Two-Factor authentication. For this, simply type "push" to receive a push notification, select "phone" for a call, or enter a passcode from the app or text.

How To Fix WSL2 and Cisco AnyConnect VPN Internet Issue

The Problem

On WSL2, running 'sudo apt update' will fail when connected to Cisco Anyconnect VPN, but without the VPN, it works perfectly. The issue arises from WSL's inability to resolve DNS while connected to Anyconnect.

The Solution

  1. Connect to the Cisco Anyconnect VPN first, then open Powershell as an Administrator and execute the following commands to retrieve all available DNS/nameservers. Make sure to take note of the DNS/nameservers for future reference.

  1. Then, on the same PowerShell, run the following command. This will retrieve the search domain that you will need later, along with the aforementioned nameservers.

  1. Open Windows Subsystem for Linux (WSL) and execute the following commands.

  1. Outside of WSL, change the Cisco Anyconnect metric from the default value of 1 to 6000 using PowerShell.

  1. Restart WSL2 within the same elevated PowerShell session, and then you should be able to open WSL2 and establish an internet connection.

References

WSL2 , problem with network connection when VPN used (PulseSecure) · Issue #5068 · microsoft/WSL wsl 2 ubuntu 18.04 unable to connect to IP resources with Cisco Annyconnect active · Issue #4277 · microsoft/WSL

Using an Alternate Client

Openconnect on Ubuntu23

 

Step #1: Open the terminal and enter the following command to install the OpenConnect network manager:

 

Step #2: Click on the Network icon in the top corner, and then click the settings gear to open the network settings. Then click the “+” sign next to VPN.

 

Step #3: Select Multi-protocol VPN client (openconnect).

 

Step #4: Enter the following info:

 

Step #5: Click on IPv6 and select Disable. Then click “Add” on the top right side.

 

Step #6: Your VPN profile has been created. Turn on its switch to connect to the VPN.

 

Step #8: Enter your ASURITE in the Username box, put your ASURITE password in the first password box, and then the second password box would be your DUO method, for example. “push” for a push notification to your device. Once these have been entered, click on “Login”.

Openconnect on MacOS

  1. Install Homebrew

  2. Open a terminal window and install Openconnect and Openconnect-GUI via homebrew

  1. Run Openconnect-GUI (you will need to right-click on the icon and choose open the first time you launch it)

  2. - Click on the Gear icon and choose New Profile (advanced)

 Enter the following:

Name: ASU Cisco VPN

Username: yourasurite

Click Save

Click Connect

 

The first time you try to connect it will pop up this window.

 

  1. Click Accurate Information

  2. Click Connect again, the first Password Dialog is your ASURITE Password

  1. Click OK, the second Password is your preferred 2 factor authentication method, i.e. Push, Phone

On successful login the Lock icon will turn Green.

Additional Help