Voltar1286

Q: Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot

I have encountered a starange situation with Yosemite and Cisco AnyConnect Secure Mobility Client (version 3.1.002026).

If the mac is using the internet connection of the iPhone (via WiFi or USB), when I connect with the client everything stops working, from the Internet to the traffic over the tunnel. If I disconnect from the VPN, all is well. The VPN tunneling using the VPN client works just fine if I connect to my home WiFi.

I've tested the same iPhone (several iPhones, in fact) on a Surface Pro 2 and VPN tunneling works just fine through the hotspot. The issue appears to be specific to Yosemite.

One more thing, VPN tunneling through iPhone hotspot was working just fine on the same laptop (Macbook Air) when it was running Mavericks.

Anyone seeing the same thing?

MacBook Air, OS X Yosemite (10.10)

Posted on Oct 30, 2014 3:44 PM

Close

Q: Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot

  • All replies
  • Helpful answers

  • by shulmda,

    shulmda shulmda Nov 1, 2014 10:08 AM in response to Voltar1286
    Level 1 (0 points)
    Nov 1, 2014 10:08 AM in response to Voltar1286

    Yes, I am sorry to say that several people have seen the same issue.  It seems like the issue is specific to Yosemite and Anyconnect. My very technical staff and I have tried many things.  The default route is missing and the file /var/run/resolv.conf is also missing which means that both the route and DNS server are messed up.  We re-added the default route manually which allows us to ping the servers and even access them via the IP address

     

    Run the command below before starting the VPN to get the default route

    netstat -nr | grep default

     

    Then run the following to re-add the default route.
    route add default xxx.xxx.xxx.xxx

     

    BUT there is no way that I can find to fix the DNS entry. 

     

    We tried re-adding the DNS entries in the /var/run/resolv.conf  and then restarting the DNS service

    $ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist                                                                              

    Password:

    $ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist 

    BUT THIS DOES NOT WORK!

     

    If anyone can help us solve the DNS issue, at least we have a work-around for our technical people until Cisco and/or Apple can resolve it.

     

    Here is a link to the same issue at Cisco.

    https://supportforums.cisco.com/discussion/12334071/cisco-anyconnect-secure-mobi lity-client-os-x-yosemite-vpn-not-working-if-mac

  • by gavinfromdurham,

    gavinfromdurham gavinfromdurham Nov 12, 2014 1:14 AM in response to Voltar1286
    Level 1 (0 points)
    Nov 12, 2014 1:14 AM in response to Voltar1286

    Any update on this?

  • by shulmda,

    shulmda shulmda Nov 19, 2014 12:02 PM in response to gavinfromdurham
    Level 1 (0 points)
    Nov 19, 2014 12:02 PM in response to gavinfromdurham

    Not that I am aware of.

  • by gavinfromdurham,

    gavinfromdurham gavinfromdurham Jan 7, 2015 5:23 AM in response to Voltar1286
    Level 1 (0 points)
    Jan 7, 2015 5:23 AM in response to Voltar1286

    Still nothing from Apple or Cisco on this. Has anyone found any fix or walk round?

  • by Rufessor,

    Rufessor Rufessor Jan 7, 2015 8:34 PM in response to gavinfromdurham
    Level 1 (0 points)
    Jan 7, 2015 8:34 PM in response to gavinfromdurham

    Just cross posting here to confirm I have and suffer greatly from this issue....

     

    help please....

  • by quadrinary,

    quadrinary quadrinary Jan 12, 2015 12:29 PM in response to Voltar1286
    Level 1 (0 points)
    Jan 12, 2015 12:29 PM in response to Voltar1286

    All - I have a solution for this problem.

     

    In your AnyConnect Group Policy, go to Advanced > Split Tunneling

     

    for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

     

    for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no". 

     

    For reasons i've not yet figured out, Yosemite does not like tunneling all DNS lookups through the tunnel.

     

    If this is a sticking point for your environment, you may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

  • by Rosebud-YT,

    Rosebud-YT Rosebud-YT Jan 27, 2015 12:41 PM in response to Voltar1286
    Level 1 (4 points)
    Jan 27, 2015 12:41 PM in response to Voltar1286

    Here's the fix:  You need to disable IPV6 on the mac.

     

    open a terminal

    type this on one line:

    networksetup -setv6off Wi-Fi

     

    That will disable IPV6.  Now it works.

     

    This is a Verizon problem only.  AT&T doesn't give IPV6 addresses to the tethered computer.  But Verizon does.

     

    Eric

  • by schurrfromin,

    schurrfromin schurrfromin Feb 19, 2015 11:23 AM in response to quadrinary
    Level 1 (0 points)
    Feb 19, 2015 11:23 AM in response to quadrinary

    This has me close. I can now browse the internet.

    But it isn't resolving addresses on the VPN network that are closed to that network (no external IPs).

    Even though we put our internal DNS server addresses in the Split-Tunneling DNS Names.

     

    Any Idea?

  • by George Crawford,

    George Crawford George Crawford Mar 12, 2015 6:43 AM in response to Voltar1286
    Level 1 (0 points)
    Mar 12, 2015 6:43 AM in response to Voltar1286

    I think tethering + AnyConnect is working for me again with the recent iOS 8.2 update!

  • by andyh_1983,

    andyh_1983 andyh_1983 Apr 14, 2015 3:23 AM in response to Voltar1286
    Level 1 (0 points)
    Apr 14, 2015 3:23 AM in response to Voltar1286

    Hi,

     

    I just wondered if anyone had found a solution to this issue? I have macbook pro with Yosemite and iphone which I use as a hotspot and i really need to be able to vpn to work for out of hours support work, this issue is making it impossible though atm.

     

    Andy.

  • by iacuser,

    iacuser iacuser Apr 30, 2015 2:09 PM in response to andyh_1983
    Level 1 (0 points)
    Apr 30, 2015 2:09 PM in response to andyh_1983

    Option #1 -- IF tunneling IPv4 traffic only --> Configure SplitInclude (tunnelspecified) policy *AND* enable "Client Bypass Protocol" on ASA Group Policy. Confirm the Group Policy is for IPv4 only with no IPv6 Tunnel List and no IPv6 Address Pool configurations.

     

    Option #2 -- IF tunneling BOTH IPv4 and IPv6 - Configure SplitInclude (tunnelspecified) policy for BOTH IPv4 and IPv6 (includes both IPv4 and IPv6 Tunnel Lists and Address Pools). "Client Bypass Protocol" should remain the default which is disabled.

     

    Option #3 -- (which may not be an option or the desired) -->  Configure a Tunnel-All Policy

     

    NOTE: No modifications to the AnyConnect Client are required.

     

    Good Luck