Why is Cisco AnyConnect VPN not working with Yosemite MBP tethered to iPhone 6?

Here's the fix: You need to disable IPV6 on the mac.

open a terminal

type this on one line:

networksetup -setv6off Wi-Fi

That will disable IPV6. Now it works.

This is a Verizon problem only. AT&T doesn't give IPV6 addresses to the tethered computer. But Verizon does.

Eric

Wow... I've had a related problem for months: VPN not connecting from my MBP over Verizon, but working fine through home WiFi. Turning off IPV6 fixed it!

Via Terminal: networksetup -setv6off Wi-Fi

Thanks Rosebud-YT!

I gave up on Cisco's Anyconnect client and installed Openconnect from Macports.

sudo port install openconnect

Open a terminal

sudo /opt/local/sbin/openconnect -u <username> --authgroup < group > https://<company VPN URL>

This fixed my issue.

Yep, have this issue too and so do many others (like Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot and Yosemite, iPhone Hotspot and Cisco AnyConnect as well as many over at the Cisco forums). Given that the problem is specific to Yosemite, I'm looking to Apple to address the problem, but assume we'll have to wait on them for that.

My "workaround" is to connect and then remote to a system in our Data Center by IP, but it's a less-than-ideal solution. Would love to hear a workable DNS fix if anyone finds it.

I can confirm this is indeed broken....

Sitting here right now with a brand spankin new mac book pro retina with basically no mods.. its all Apple... and a new iPhone6 and cisco any connect.

I actually can also say that regardless of which device runs cisco any connect (I have on phone and computer) the personal hotspot connection does not work as VPN. I have one other piece of information... the last bit.

If I connect THIS WAY-

Anyconnect on Macbook connected to personal hotspot on phone but NO VPN on phone.

Internet connectivity is there right up to the moment my VPN connects.... then its GONE.... safari displays the NO internet connection message... its like you flipped the off switch... however, as SOON as I terminate the cisco any connect connection -you do NOT need to shut down the app, just close the connection... so cisco any connect thinks its CONNECTED- the application is not stuck, its green light connected and I can disconnect "normally"- the internet connection on the macbook pro comes right back.

IF instead I connect THIS WAY

NOW... shut down any connect on the macbook pro... turn on any connect in the phone, connect...

I now have internet connectivity on the macbook pro.... using the VPN configured phone as a personal hotspot... but its not working as a tunnel into the subnet like its supposed to... I cannot connect via terminal to any number of servers that I normally can connect to with cisco any connect on the macbook pro and a more typical 4g wireless router config for internet...

Now the LAST BIT

When connected the second way, from the computer terminal I can ping google.. but cannot ping servers inside the subnet the phone is connected to.. I note that my cisco any connect VPN is typically configured to be 1 sided, that is to say that the VPN tunnel is used only for local traffic... so even when I am VPN connected and all things are working, if I switch from an internal (VPN Walled) server to google my traffic bypasses VPN to avoid un-necessary traffic on a heavily utilized VPN connection.

I am uncertain what to conclude, but this much is true- VPN from the macbook via cisco any connect using the new OS (up to date TODAY) is DEAD and KILLS all external connections.

VPN on the phone seem to be working, I am unsure how the VPN client is interpreting traffic through the personal hotspot, but its certainly not letting the personal hotspot traffic use the VPN tunnel... but this may be normal. It is probably not trivial to know if this is normal, or further indications of a problem with the macbook pro OS.

All - I have a solution for this problem.

In your AnyConnect Group Policy, go to Advanced > Split Tunneling

for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no".

For reasons I've not yet figured out, Yosemite does not like tunneling all DNS lookups through the tunnel.

If this is a sticking point for your environment, you may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

Good luck!

-Tim

Can't be right- "Verizon" as the problem... I am AT&T and have this issue.

AS well- disabling this did not fix the VPN issue. Network is good right until you log into VPN server - then your dead.

I can confirm that this workaround worked for me on an ASA5505 running 9.2(2), but not on an ASA5510 running 8.4(5). The only differences in the group-policy configurations between the two is I have "client-bypass-protocol enable" set on the 5505 running 9.2(2), but this does not seem to be available on the 5510 running 8.4(5).

I plan to upgrade the 5510 to 9.1.6 sometime next week and see if this command is supported (or even needed) for this workaround to work.

In detail, what I'm seeing on my Yosemite client when it's NOT working is:

- /etc/resolv.conf is not found

- scutil --dns shows the iphone IP as nameserver[0] with no other namservers listed

- netstat -nr shows default route with "I" flag added. This flag is not present when Anyconnect is not connected nor when connected to my wokraround-enabled 5505 running 9.2(2).

The above behavior is the same whether I am tethered via USB or via wi-fi. I've not attempted bluetooth tethering yet, but I'm suspecting the result may be the same.

Existing connections continue to work, but opening any new connections to anything not through the VPN fails with a "network is unreachable" or similar unreachable message. I haven't tried this with split-tunneling disabled since that would not be a viable solution in my case anyway. Re-adding the default route seems to get traffic flowing, but nothing I've tried has gotten the dns resolver to work. It's possible to use the dig, host, or nslookup commands and reference a specific dns server over the tunnel though, but that doesn't help too much for trying to use applications locally.

Since starting write this, I stumbled upon this Cisco technote: http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-cl ient/116016-technote-AnyConnect-00.html that references an older bug https://tools.cisco.com/bugsearch/bug/CSCtz86314 . My symptoms seem to be exactly as described in these docs and then some. Both do mention that version 9.0 or better is needed for the workaround to work though.

Hopefully, my 5510 will far better following the upgrade next week.

My 5505's group-policy settings, for reference:

group-policy vpn1_policy attributes

dns-server value 172.24.0.128 172.24.0.129

vpn-simultaneous-logins 2

vpn-idle-timeout 10

vpn-filter value vpn1-acl

vpn-tunnel-protocol ssl-client

password-storage disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn1-acl

default-domain value xnxnxn.com

split-tunnel-all-dns disable

client-bypass-protocol enable

webvpn

anyconnect keep-installer installed

anyconnect ssl keepalive 290

anyconnect dpd-interval client 10

anyconnect dpd-interval gateway 30

anyconnect ask none default anyconnect

Option #1 -- IF tunneling IPv4 traffic only --> Configure SplitInclude (tunnelspecified) policy *AND* enable "Client Bypass Protocol" on ASA Group Policy. Confirm the Group Policy is for IPv4 only with no IPv6 Tunnel List and no IPv6 Address Pool configurations.

Option #2 -- IF tunneling BOTH IPv4 and IPv6 - Configure SplitInclude (tunnelspecified) policy for BOTH IPv4 and IPv6 (includes both IPv4 and IPv6 Tunnel Lists and Address Pools). "Client Bypass Protocol" should remain the default which is disabled.

Option #3 -- (which may not be an option or the desired) --> Configure a Tunnel-All Policy

NOTES:

"Client Bypass Protocol" option is only available ASA v9.x+

No modifications to the AnyConnect Clients required.

A better, more permanent and less disruptive fix is to fix the VPN group policy on your Cisco ASA firewall:

group-policy <name of your VPN group policy> attributes

client-bypass-protocol enable

THAT IS THE PROPER FIX. It tells the Cisco AnyConnect VPN client to ignore a match between the client protocols (which is both IP4 and IP6), and what your AnyConnect configuration is on the ASA (often only IP4).

Another solution that I haven't tested, but I think would avoid this issue as well, is to have both ip4 and ip6 configured on the ASA for VPN clients. But we only have ip4 enabled, which is what causes the issue.

If you are NOT the network administrator at your company, you may have a hard time convincing him to make that change. Therefore, disabling and re-enabling IP6 locally on the Mac might be your only option.

P.S. To re-enable IP6 on the mac:

networksetup -setv6automatic WiFi

(in other words, it's NOT -setv6on).

This only allows to use an external DNS. It does not permit for your enterprise DNS to be accessible and hence does not allow you to access enterprise resources by name.

Identical problem here w/ AT&T. Does anyone have a viable workaround ?

I think tethering + AnyConnect is working for me again with the recent iOS 8.2 update!

I tried with the 8.2 iOS update, but still can not connect ......

Upgrading my ASA5512 to 9.2(3) and adding "client-bypass-protocol enable" to my SSLVPN group-policy attributes resolved the issue for me.