-
Notifications
You must be signed in to change notification settings - Fork 822
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wsl 2 ubuntu 18.04 unable to connect to IP resources with Cisco Annyconnect active #4277
Comments
Not 100% sure, but it can be that annyconnecy blocks any dns server except provided by connection. I was observed something similar and was unable to disable this behaviour. |
I've tried the method of creating a manual named.conf and it didn't fix anything. I can ping the 1st dns server from windows but not from ubuntu.
Ubuntu
It seems to be more of a routing problem than a name resolution. For instance I can ping www.microsoft.com from a cmd prompt but not from ubunutu. windows
Ubuntu
|
Having exactly same problem...Errrrr |
I have the same issue, that from within the WSL 2 shell, I'm unable to use AnyConnect running in Windows. However, in WSL I installed openconnect, and I run: Also, this only works if I disconnect the VPN in Windows first, which is annoying. |
Same issue here. I tried to add search list in /etc/resolv.conf followed the guide here but still failed. |
If you're still experiencing this issue could you please take some networking logs? It will help us diagnose what's going on. You can find instructions on how to do so here! |
I'm definitely experiencing this issue and I'm running 18970. I can capture logs if needed. The problem is easy to reproduce. |
Well, cancel that. I don't have the Feedback Hub installed and I have another issue where I can't download app from the Microsoft Store because of some weird Microsoft Account issue that I'm working with support on. |
Also, if WSL 2 starts first, Cisco AnyConnect will fail to connect. |
I filed a feedback in FH. https://aka.ms/AA60j0u |
Same issue, I filed feedback using Feedback Hub. |
I also have the same issue with AnyConnect, also gave feedback in the Hub (although the option to post a recording was grayed out for me). |
I'm also having this problem and opened an issue for it in Feedback Hub with logs: https://aka.ms/AA6fthe |
I tried this route, but our AnyConnect uses 2FA which makes using openconnect impossible |
I'm in the same boat. WSL 2 is a godsend while I'm in the office; it's so much faster and better integrated than using a VirtualBox (or similar) VM. Unfortunately I still have to use said VM when connecting remotely via VPN because, as others here have described, all network connectivity from WSL 2 stops the moment the VPN is up. I use Cisco AnyConnect too although I imagine the problem is common to most VPN clients. Like @Haselton I'm unable to use OpenConnect as the company I work for enforces 2FA. @craigloewen-msft - I'd dearly love to send you some logs but our workstation diagnostic data settings are locked down by Group Policy. If there's anything else I can do to help please let me know. WSL 2 is fabulous. 🙂 |
@raisin-loaf thank you for the offer! I'll let you know if you can help out in any other way. We are investigating issues related to the VPN. |
I was able to resolve this by installing anyconnect pwa from the windows store the vpn connection now works with WSL when my stand alone installation of anyconnect 4.6 does not work... hope this helps someone |
It works! Thanks so much for posting this. |
I was having the same issue; i found that Anyconnect was setup to do full-tunnel, and therefore a route existed to throw all traffic through the VPN connection (likely including packets destined for the WSL2 vm). WSL2 routes are configured with a metric of 5256, and anyconnect routes have a metric of 2, and therefore take priority. I amended the routes for anyconnect (where metric == 2) to be 5257 instead, which seems to largely work. I used "NetRouteView" run as Admin to do the changes because I was too lazy to find the powershell equivilent commands :) This restored connectivity, but I found DNS to still be broken with the WSL default resolvconf ( |
Any movement on a fix for this? In my attempt to move away from macOS to Windows for dev, this has effectively stopped me completely as the company I work for uses AnyConnect. |
Yes we are tracking this and are looking into solutions with the networking team! I'll post any updates here as soon as they become available. |
Thanks a lot, this would be a life saver! |
For what it's worth I was having all the same issues described here. I saw AdonisLL post and tried it. I installed the AnyConnect UWP version available on the Windows store. Now, it seems to work perfectly! No jacking around with resolv.conf, or turning off generateResolvCon in wsl.conf. In fact the VPN seems much faster than the AnyConnect client 4.5 version I was using. Considering all the grief this was causing, this turned out to be a fast and easy fix for this! |
@kzeitz Company I work for requires 2FA authentication which it seems the Windows store version of AnyConnect doesn’t support. |
Ah, bummer. It's been so nice for this to just work likes its suppose to.
Sorry.
…On Sat, Jan 18, 2020 at 7:30 PM Chris Jones ***@***.***> wrote:
@kzeitz <https://github.com/kzeitz> Company I work for requires 2FA
authentication which it seems the Windows store version of AnyConnect
doesn’t support.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4277?email_source=notifications&email_token=ABCZVFI75HZHHGA3U3ZUCGTQ6O3NDA5CNFSM4H6UGPDKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJKHCZQ#issuecomment-575959398>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABCZVFM32JGHKGJP45AKXPTQ6O3NDANCNFSM4H6UGPDA>
.
|
I'm having this issue in December 2022 on an up to date version of Windows 10 with WSL 2 and the latest Ubuntu from Microsoft Store. I agree with the others here that setting the metric high is not the answer - additionally these solutions do not consider developers that do not have administrative rights on their machine due to corporate policy. Part of the issue I'm experiencing is the DNS issue where I have to manually set the DNS IP address in the /etc/resolv.conf However, even after doing this sporadically I'll be unable to even ping an IP address directly leading me to believe that there still are some issues to be resolved with how the network adapters are handled by Windows. Just wanted to share my experience. P.S. - I wrote up an automatic powershell script to handle the DNS issue - but still have the other issue sporadically I described. I guess I'll take 50% working over 0% working? |
Finally the BypassVirtualSubnetsOnlyV4 fix from Cisco solved it for us! No more messing with interface metric workarounds. |
This was actually my problem, Cisco VPN had connected status (even when disconnected). By chaging the priority of the Cisco one, the WSL2 variant started working again. Also changed my WiFi (primary interface) to priority of 1. Thanks and you rock!! |
Thank you @prasadrajesh @JorisNinja, your commands worked for me. |
You shouldn't change the Interface-Metric due to the than different routing. See the following blogpost for explanation: https://janovesk.com/wsl/2022/01/21/wsl2-and-vpn-routing.html The problem of not using the correct DNS-Server is properly explained and the suggested solution should be used from networking point of view. For the IP-Range problem you have only the following two options:
How second could work, is shown in this Microsoft Q&A: https://learn.microsoft.com/en-us/answers/questions/1123820/set-wsl2-subnet TLDR: Change SubNet of WSL NAT-Router to a different one which does not collide with your Company-VPN subnet. To do so got to regedit and edit the following entries: Again: Please don't change the InterfaceMetric! |
@Pit-Storm Unless I'm missing something, I think this is irrelevant when dealing with full-tunnel VPN; the route added is for 0.0.0.0/0 via the VPN, and this encompasses the WSL subnet. Deleting this route would obviously result in no traffic traversing the VPN. Amending the MetricID just ensures that traffic for the WSL interface is prioritised above the VPN adapter, so that traffic can return. Yes it does add the ability for WSL to route to the local network whilst on VPN when you normally shouldn't be able to (frowned upon in a full tunnel setup), but that's a small price to pay (and arguably convenient lol) |
I don't have the ASDM, how can I change the setting directly? |
Hi folks, we have put out a new update that aims to address networking issues in WSL. In your More info on this release and the changes can be found here in the blog post. |
@craigloewen-msft What about users with older windows versions, such as 21H2? |
@craigloewen-msft I updated to WSL 2.0.3 on 22H2 and added below section to
|
Please change your .wslconfig to this content instead. Does that resolve you? (You need to remove the quotes!)
|
@craigloewen-msft I can't tell what is different between those two code blocks. |
@NiklasBr my mistake I failed on copy and pasting. I've adjusted it! |
This appeared to work 🙌 but it broke Docker Desktop. |
These new networking features are now available on the latest version of Win11 22H2! Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run |
Is there any way to enable these options on Windows 10 22H2? |
@craigloewen-msft I'm trying to get access to VPN network from WSL2. Is it possible?
I have no communication. This is what my wsl network looks like:
|
After years of struggling with various hacks and workarounds, I was eager to try this one out. Unfortunately, someone at my company's IT dept has decided to set the I'm willing to go on a mission in corporate to get that policy changed, but before this I'd like some reassurance that the effort actually stands a chance to yield some progress. @craigloewen-msft are there confirmed cases that |
@donkkis as a Cisco Anyconnect user with enforced full-tunnel connection, I can confirm that mirrored networking does work as you would hope. |
@dalgibbard So no further workaround are needed? Can you tell me what AnyConnect version you are using? With AnyConnect we can resolve our internal IPs and connect them, but anything that goes outside (e.g. archive.ubuntu.com fails) fails to connect to. According to our IT Department its because the Proxy authentication fails. |
@timoooo With the new versions of AnyConnect, |
I set the values HTTP_PROXY, HTTPS_PROXY, http_proxy and https_proxy to my Proxy address but the issues persist |
Are you passing them to apt when you run sudo (sudo clears most env vars by default)? |
@balmeida-nokia no i just run sudo apt ... straight after setting the env variables |
@balmeida-nokia thanks that worked for the Ubuntu repos however i appaerently need to authenticate to get to Err:1 https://ppa.launchpadcontent.net/deadsnakes/ppa/ubuntu jammy InRelease |
Did you try searching for HTTP_PROXY authentication? |
This is still busted out of the box. C'mon, Microsoft...I don't care if it's FOSS, it's a PRODUCT you offer- fix this properly. I shouldn't have to use Admin Mode Powershell scripting hacks to "fix" this. Even though it's slower, VirtualBox manages to actually WORK in NAT mode and YOU DO NOT here. Five years, guys. This isn't acceptable. |
Please fill out the below information:
Your Windows build number: (Type
ver
at a Windows Command Prompt)Microsoft Windows [Version 10.0.18932.1000]
What you're doing and what's happening: (Copy&paste the full set of specific command-line steps necessary to reproduce the behavior, and their output. Include screen shots if that helps demonstrate the problem.)
I've installed ubuntu 18.04 and converted it to wsl v2 using the following command in windows powershell running as administrator.
PS C:\WINDOWS\system32> wsl --set-version Ubuntu-18.04 2
When I start the Ubuntuu 18.04 instance I'm able to communicate with resources using IPs and hostnames.
Once I connect to my work VPN using cisco annyconnect client v 4.7.00136 I'm not longer able to connect to IP resources.
I should be able to ping 8.8.8.8 or other outside IPs once the annyconnect vpn client is running.
The text was updated successfully, but these errors were encountered: