Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot

Yes, I am sorry to say that several people have seen the same issue. It seems like the issue is specific to Yosemite and Anyconnect. My very technical staff and I have tried many things. The default route is missing and the file /var/run/resolv.conf is also missing which means that both the route and DNS server are messed up. We re-added the default route manually which allows us to ping the servers and even access them via the IP address

Run the command below before starting the VPN to get the default route

netstat -nr | grep default

Then run the following to re-add the default route.
route add default xxx.xxx.xxx.xxx

BUT there is no way that I can find to fix the DNS entry.

We tried re-adding the DNS entries in the /var/run/resolv.conf and then restarting the DNS service

$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist

Password:

$ sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.discoveryd.plist

BUT THIS DOES NOT WORK!

If anyone can help us solve the DNS issue, at least we have a work-around for our technical people until Cisco and/or Apple can resolve it.

Here is a link to the same issue at Cisco.

https://supportforums.cisco.com/discussion/12334071/cisco-anyconnect-secure-mobi lity-client-os-x-yosemite-vpn-not-working-if-mac

Any update on this?

Not that I am aware of.

Still nothing from Apple or Cisco on this. Has anyone found any fix or walk round?

Just cross posting here to confirm I have and suffer greatly from this issue....

help please....

All - I have a solution for this problem.

In your AnyConnect Group Policy, go to Advanced > Split Tunneling

for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no".

For reasons i've not yet figured out, Yosemite does not like tunneling all DNS lookups through the tunnel.

If this is a sticking point for your environment, you may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

Here's the fix: You need to disable IPV6 on the mac.

open a terminal

type this on one line:

networksetup -setv6off Wi-Fi

That will disable IPV6. Now it works.

This is a Verizon problem only. AT&T doesn't give IPV6 addresses to the tethered computer. But Verizon does.

Eric

This has me close. I can now browse the internet.

But it isn't resolving addresses on the VPN network that are closed to that network (no external IPs).

Even though we put our internal DNS server addresses in the Split-Tunneling DNS Names.

Any Idea?

I think tethering + AnyConnect is working for me again with the recent iOS 8.2 update!

Hi,

I just wondered if anyone had found a solution to this issue? I have macbook pro with Yosemite and iphone which I use as a hotspot and i really need to be able to vpn to work for out of hours support work, this issue is making it impossible though atm.

Andy.

Option #1 -- IF tunneling IPv4 traffic only --> Configure SplitInclude (tunnelspecified) policy *AND* enable "Client Bypass Protocol" on ASA Group Policy. Confirm the Group Policy is for IPv4 only with no IPv6 Tunnel List and no IPv6 Address Pool configurations.

Option #2 -- IF tunneling BOTH IPv4 and IPv6 - Configure SplitInclude (tunnelspecified) policy for BOTH IPv4 and IPv6 (includes both IPv4 and IPv6 Tunnel Lists and Address Pools). "Client Bypass Protocol" should remain the default which is disabled.

Option #3 -- (which may not be an option or the desired) --> Configure a Tunnel-All Policy

NOTE: No modifications to the AnyConnect Client are required.

Good Luck

I figured this out, the issue is Anyconnect remove the resolve.conf to cause DNS resolution fail, and the reason for anyconnect to remove that file is because of the DTLS bug, so disable the DTLS and enforce the traffic go under TLS will make it work.