LAN access with Cisco AnyConnect Secure Mobility Client v. 3.0.4235

Question

Whenever I connect to a VPN server using the Cisco AnyConnect Secure Mobility Client v. 3.0.4235 (probably also with other versions) I lose access to my LAN. I hope to remedy this by manually adding some routes which AnyConnect deletes.

Below is my setup, routes before and after connection. I have a machine with two physical NICs:

NIC1 Gateway to internet

Address 10.191.244.10
Mask 255.255.255.0
Gateway: 10.191.244.1

NIC2

Address 172.16.97.1
Mask 255.255.0.0
Gateway: N/A

Device attached to NIC2

Address 192.16.97.2
Mask 255.255.0.0
Gateway: N/A

EDIT: Please note that the VPN connection and the LAN connection is not on the same physical NIC/link, and the two NICs do not connect to the same network (one connects to 10.191.244.0/24 and the other to 172.16.97.0/20).

Routes and ARP table before connection to VPN

===========================================================================
Interface List
 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
     10.191.244.0    255.255.255.0         On-link     10.191.244.11    261
    10.191.244.11  255.255.255.255         On-link     10.191.244.11    261
   10.191.244.255  255.255.255.255         On-link     10.191.244.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0         On-link       172.16.97.1    261
      172.16.97.1  255.255.255.255         On-link       172.16.97.1    261
   172.16.255.255  255.255.255.255         On-link       172.16.97.1    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.191.244.11    261
        224.0.0.0        240.0.0.0         On-link       172.16.97.1    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.191.244.11    261
  255.255.255.255  255.255.255.255         On-link       172.16.97.1    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     10.191.244.1  Default 
===========================================================================

## ARP ##
Interface: 10.191.244.11 --- 0xe
  Internet Address      Physical Address      Type
  10.191.244.1          c4-05-28-c9-fd-63     dynamic   
  10.191.244.20         00-c0-3d-00-53-0d     dynamic   
  10.191.244.255        ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    

Interface: 172.16.97.1 --- 0xf
  Internet Address      Physical Address      Type
  172.16.97.2           00-80-2f-17-26-06     dynamic   
  172.16.97.3           00-80-2f-17-6a-44     dynamic   
  172.16.255.255        ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static

Routes and ARP after connection to VPN

===========================================================================
Interface List
 16...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
          0.0.0.0          0.0.0.0    192.168.220.1  192.168.221.131      2
    10.191.244.11  255.255.255.255         On-link     10.191.244.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.16.97.1  255.255.255.255         On-link       172.16.97.1    261
    192.168.220.0    255.255.254.0         On-link   192.168.221.131    257
  192.168.221.131  255.255.255.255         On-link   192.168.221.131    257
  192.168.221.255  255.255.255.255         On-link   192.168.221.131    257
     193.28.147.7  255.255.255.255     10.191.244.1    10.191.244.11      6
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.191.244.11    261
        224.0.0.0        240.0.0.0         On-link       172.16.97.1    261
        224.0.0.0        240.0.0.0         On-link   192.168.221.131    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.191.244.11    261
  255.255.255.255  255.255.255.255         On-link       172.16.97.1    261
  255.255.255.255  255.255.255.255         On-link   192.168.221.131    257
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     10.191.244.1  Default 
          0.0.0.0          0.0.0.0    192.168.220.1       1
===========================================================================


## ARP ##
Interface: 10.191.244.11 --- 0xe
  Internet Address      Physical Address      Type
  10.191.244.1          c4-05-28-c9-fd-63     dynamic   
  10.191.244.20         00-c0-3d-00-53-0d     dynamic   
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    

Interface: 172.16.97.1 --- 0xf
  Internet Address      Physical Address      Type
  172.16.97.2           00-80-2f-17-26-06     dynamic   
  172.16.97.3           00-80-2f-17-6a-44     dynamic   
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static    

Interface: 192.168.221.131 --- 0x10
  Internet Address      Physical Address      Type
  192.168.220.1         00-11-22-33-44-55     dynamic   
  192.168.221.255       ff-ff-ff-ff-ff-ff     static    
  224.0.0.22            01-00-5e-00-00-16     static    
  224.0.0.251           01-00-5e-00-00-fb     static    
  224.0.0.252           01-00-5e-00-00-fc     static    
  239.255.255.250       01-00-5e-7f-ff-fa     static

The differences in routes before and after show that AnyConnect deleted a route to the 172.16.0.0 network.

I try to add it back with

route ADD 172.16.0.0 MASK 255.255.0.0 172.16.97.1

The route utility returns/prints "OK!", but the route never shows up in the routing table afterwards. I run the route utility with elevated privileges. Can AnyConnect block my addition of new routes?

Is there any way around this issue on my (client) end? The VPN server config is not easily changed.

Wuhtzu · Answer 1 · 2015-02-25T18:09:11.097

I found a solution to my problem. I simply used OpenConnect instead of Cisco's own client.

OpenConnect (http://www.infradead.org/openconnect/) is an open source client for Cisco's AnyConnect SSL VPN,build around GnuTLS and OpenSSL. It runs on BSD, Linux, Mac and Windows.

For me it solved the problem on both Linux (Ubuntu 14, using the package network-manager-openconnect) and Windows (Win7 64bit, using http://www.infradead.org/openconnect/gui.html / https://github.com/openconnect/openconnect-gui/wiki).

Below are routes before and after VPN connection with OpenConnect. Contrast those to the AnyConnect case, where the 172.16.0.0 routes were removed.

I now enjoy access to the VPN resources, and my local LAN (in paticular my network attached sampling device on 172.16.97.2).

Routes before OpenConnect connection:

===========================================================================
Interface List
 20...00 ff 08 2c e8 75 ......TAP-Windows Adapter V9
 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
     10.191.244.0    255.255.255.0         On-link     10.191.244.11    261
    10.191.244.11  255.255.255.255         On-link     10.191.244.11    261
   10.191.244.255  255.255.255.255         On-link     10.191.244.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0         On-link       172.16.97.1    261
      172.16.97.1  255.255.255.255         On-link       172.16.97.1    261
   172.16.255.255  255.255.255.255         On-link       172.16.97.1    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.191.244.11    261
        224.0.0.0        240.0.0.0         On-link       172.16.97.1    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.191.244.11    261
  255.255.255.255  255.255.255.255         On-link       172.16.97.1    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.220.1       1
          0.0.0.0          0.0.0.0     10.191.244.1  Default 
===========================================================================

Routes after openconnect conneciton:

===========================================================================
Interface List
 20...00 ff 08 2c e8 75 ......TAP-Windows Adapter V9
 15...52 54 00 c3 42 45 ......Red Hat VirtIO Ethernet Adapter #2
 14...52 54 00 f4 a4 80 ......Red Hat VirtIO Ethernet Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
          0.0.0.0          0.0.0.0    192.168.220.1  192.168.221.140      2
     10.191.244.0    255.255.255.0         On-link     10.191.244.11    261
    10.191.244.11  255.255.255.255         On-link     10.191.244.11    261
   10.191.244.255  255.255.255.255         On-link     10.191.244.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0         On-link       172.16.97.1    261
      172.16.97.1  255.255.255.255         On-link       172.16.97.1    261
   172.16.255.255  255.255.255.255         On-link       172.16.97.1    261
    192.168.220.0    255.255.254.0         On-link   192.168.221.140    257
  192.168.221.140  255.255.255.255         On-link   192.168.221.140    257
  192.168.221.255  255.255.255.255         On-link   192.168.221.140    257
     193.28.147.7  255.255.255.255     10.191.244.1    10.191.244.11      6
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     10.191.244.11    261
        224.0.0.0        240.0.0.0         On-link       172.16.97.1    261
        224.0.0.0        240.0.0.0         On-link   192.168.221.140    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     10.191.244.11    261
  255.255.255.255  255.255.255.255         On-link       172.16.97.1    261
  255.255.255.255  255.255.255.255         On-link   192.168.221.140    257
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     10.191.244.1  Default 
          0.0.0.0          0.0.0.0    192.168.220.1       1
===========================================================================

See also certificates migration at http://lorands.com/2012/10/openconnect-replacement-for-cisco-anyconnect-on-linux-ubuntu/. It must be noted that I didn't manage to get OpenConnect working properly even with plain password. It was succesfully connecting to server, verifying password, adding routes but no remote IP became pingable in the end. Thanks for this altenative, though. — Vadzim, Feb 18 '16 at 09:13
Are there Windows binaries available or did you compile it yourself? — Gert van den Berg, Sep 07 '18 at 10:56
Hi Wuhtzu, this is the clearest writing about accessing to our LAN when Cisco AnyConnect VPN Client is used. Because it was written in Feb 1 '15, so I have to wonder, are you still able to use OpenConnect-GUI to replace Cisco AnyConnect as of now? thx — xpt, Jul 28 '21 at 19:29

score 2 · Answer 2 · answered Jan 31 '15 at 17:00

2

You VPN administrator can enable/disable split tunneling from the VPN concentrator end. Even if you do mess with the gateways on your local machine, while connected to the VPN, I believe the Cisco client does whatever the policy tells it to do from the endpoint in your office.

Ask the VPN admin about it...I'm sure he/she will be happy to give you an earful about why it's set up the way it is. :)

answered Jan 31 '15 at 17:00

Chris

86
4

3

Thank you for the obligatory "there is a reason why"-answer, now comes the "there are special circumstances"-response. I cannot hope for the server config to change, and the **Device attached to NIC2** is a harmless network attached data acquisition unit (voltage sampler, from NI), it could have been attached via USB, but unfortunately it is attached via ethernet. I just want that route back. I probably have to dwell into modifying any AnyConnect dynamically linked libraries to prevent the route manipulation or block it from calling __route__. – Wuhtzu Jan 31 '15 at 17:32
1

Also, do we agree that "split tunneling" is nothing magic, it is just a set of routes which result in a particular experience on the client machine? Of course the VPN client (AnyConnect in this case) could be configured to block traffic if it detects an unwanted route, but in principle the VPN-server has no saying over how I setup my routes on my machine. Enabling "split tunneling" will just tell the client not to delete certain routes, compared to what it does when it is disabled. So if I can prevent AnyConnect from modifying my routes I will achieve my goal? – Wuhtzu Jan 31 '15 at 17:47
1

It's nothing magic, but the client can break it. When you connect to a corporate VPN, you probably have signed some agreement that says, "Yes, AnyConnect has say over how you setup your routes on your machine." – Chris Jan 31 '15 at 21:17
Sure, one might very well have entered into such an agreement. But good, split tunneling is nothing more than a carefully crafted set of routes. – Wuhtzu Feb 01 '15 at 13:55

score 0 · Answer 3 · edited Apr 13 '17 at 12:14

0

This is probably the question about VPN access that is asked the most.

Search for Split Tunnel

In a nutshell, Split Tunneling doesn't seem to be enabled in your VPN configuration.

So when connecting to your VPN, you end up with two default gateways.

0.0.0.0          0.0.0.0     10.191.244.1    10.191.244.11    261
0.0.0.0          0.0.0.0    192.168.220.1  192.168.221.131      2

When setting up a VPN access without Split Tunneling, you basically ask the VPN client to route ALL traffic through the VPN endpoint.

That's why you "loose" access to your LAN.

edited Apr 13 '17 at 12:14

Community

1

answered Jan 31 '15 at 13:45

Alex

3,079
20
28

Before the vpn connection there was a gateway and the 172.16.79.0 did not use it then. The gateway did not lead to that network. So isn't it the removal of the two 172.16.0.0 routes that's the problem? And more importantly, can I get that access back without split tunneling? – Wuhtzu Jan 31 '15 at 14:50

LAN access with Cisco AnyConnect Secure Mobility Client v. 3.0.4235

3 Answers3

Linked