Cisco Anyconnect Vpn Ipv6

| Posted on by




Topics Map > Networking > Virtual Private Networking (VPN)

IPv6 addresses and headers take up more space in the data packet than IPv4 addresses and headers do. Because of this some users are not able to connect to the VPN at all, and others can connect but can't download files, read email, or do other things that use large data payloads in their data packets. Adjusting the packet MTU to a lower value will make sure that there is enough space in the packet for the larger IPv6 headers.

This only affects customers that connect over IPv6. Cisco's AnyConnect software will always use IPv4 if it is available, so this will mostly affect customers using openconnect, or customers that only have IPv6 (which is rare). The default MTU for wireless and Ethernet is 1500 bytes. When using IPv6, especially if it is being tunneled, you'll need to set it down to between 1380 and 1450 depending on the your setup.

How can you tell if this is the problem?

Through a vpn client but I already solved by doing several steps: disable ipv6 on my pc and then in network settings wan general and disable ipv6. The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users. Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL VPN connections. In this lesson we will see how you can use the anyconnect client for remote access VPN. Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Clientless WebVPN; AnyConnect VPN. Hello Everyone- I can no longer connect to my corporate network from my laptop using my Galaxy S5 HotSpot and Cisco Anyconnect VPN. It used to work perfectly but not any more. I changed the APN settings to use IPv4 only and also IPv4/IPv6. Still not working.

  1. If you can't connect at all and your client just times out trying to connect (and is using IPv6 to get to the VPN*), then first check to see if you can ping6 the vpn (unix/Mac OS command is 'ping6 vpn.illinois.edu'). If that doesn't work, this is not the problem.
  2. If ping6 worked, then see if you can load the website over IPv6. https://vpn4g-1.gw.illinois.edu (or any of the VPNs). If it loads, this probably isn't the problem. If it loads, and the VPN connects, but then some things don't work, it might be the problem.
  3. If ping6 worked, but loading the website did not work, then there is a good chance this is your problem. Please try changing your MTU setting and see if that fixes the issue.
If you think this is the problem you are having, then you need to set your MTU size down to at lest 1450, possibly as low as 1380 to make everything work.
Mac OS:
  1. Go to Network settings
  2. lick on the interface being used for their network connection, if it is not already selected.
  3. Click on the 'Advanced' button.
  4. Click on the 'Hardware' tab.
  5. Change the 'Configure:' drop down to Manually.
  6. Change the 'MTU:' drop down to Custom.
  7. Type in 1380, click Okay, and then click Apply.

Windows 7, 8, and 10:

Follow the instructions from this website: https://support.zen.co.uk/kb/Knowledgebase/Changing-the-MTU-size-in-Windows-Vista-7-or-8 but replace 'ipv4' in all the commands with 'ipv6'.

Open a command prompt

  1. Click the Windows button on the task bar.
  2. Click All Programs.
  3. Click Accessories.
  4. Right-click on Command Prompt and click Run as administrator.
  5. If prompted click the Allow button.

Set the MTU size:

  1. Once the Command Prompt window is open follow the steps below to change the MTU size:

    1. Type netsh interface ipv6 show subinterface
    2. Press Enter.
    3. You will see a list of network interfaces.
    4. Type netsh interface ipv6 set subinterface “Local Area Connection” mtu=1450 store=persistent
      You should replace Local Area Connection with the name that appeared in the “Interface” column from steps 1-3.
    5. Press Enter.
    6. Restart you computer and then test again.

    If you still have problems after modifying the MTU repeat the above steps - replacing the numbers 1458 with 1430, or 1380 – restart the computer and test again.


Linux:

  1. In Linux there are multiple ways to do it. Here are two possibilities:
    1. If you are using openconnect, use the '-m 'option to specify the MTU like this
      1. openconnect -m 1380 -v vpn.illinois.edu
    2. Otherwise, after the vpn has connected, adjust the mtu on the tunnel interface that was created (in this example the tunnel was tun0)
      1. ifconfig tun0 mtu 1380

*How to tell if you are connected to the VPN over IPv6

First, check to see what IP address(es) your computer has. Go to https://www.whatismyip.com and see what it says. If you only have an IPv4 address, you can't be connecting over IPv6. If you only have an IPv6 address, then you are definitely connecting over IPv6.
Ipv6
If you have both an IPv4 and an IPv6 address and you aren't able to connect at all, it's hard for you to tell what address you're using to connect with to the VPN. As a general rule of thumb, if you are using the Cisco AnyConnect software it will always use IPv4 if it has one. If you are using openconnect or some other free client, it is likely using IPv6 - most open source software will try IPv6 first. If you absolutely need to know, contact the Technology Services Help Desk, they can look up your connection in the logs and see what IP address you connected with.
If you are able to connect, but things aren't working, you can see what the IP address of the server you're connected to is in the VPN application. This will let you know if it is IPv4 or IPv6. Open the statistics window (on Mac click on the graph icon on the connection window, on Windows click on the gear icon on the connection window, then select the statistics tab). Then look for the line named 'Server' to find the server's IP address.
If the address is in IPv6 format (up to 8 hex numbers, separated by colons - note that there can be fewer than 8 if there is a double colon - such as 2620:0:e00:3a::2) you are connected to the server over IPv6.

If the address is in IPv4 notation (4 decimal numbers separated by periods such as 192.17.55.12) you are not connecting over IPv6.


Topics Map > Networking > Virtual Private Networking (VPN)

This page explains the distinctions between the Cisco AnyConnect VPN profiles available during the login process.

Normal use: 'SplitTunnel' profile

Most people will ordinarily select the '1_SplitTunnel_(Default)' profile. This sends traffic meant for University computers to the University, and doesn't intervene in your non-University web browsing such as Facebook or Google. As of Fall 2018 both IPv4 and IPv6 traffic are supported by the VPN. Click here for more details on how exactly the IPv6 traffic is handled with Split Tunnel.

The Office of Privacy and Information Assurance (OPIA) suggests the use of the split tunnel profile from secured networks that you trust, such as home and work networks.

Special cases: 'TunnelAll,' 'SplitTunnel_NoPrivateIP', '2FA_Duo,' and 'ReduceDisconnects' profiles

Tunnel All (off-campus online resource use, traveling in countries with restricted network access)

The '3_TunnelAll' profile is used in cases where you need to present a University identity to a third party website, such as the Library's online resource collection. (See Library Resources and the VPN for more information about remote access to the Library's resources.) There are some other services provided to campus based on IP address in addition to those from the Library. Additionally, if you are traveling outside the US and want to reach US servers for services such as Google or Facebook then the Tunnel All profile will send all your data back to campus first, and then out to those services. Researchers accessing NIST data must use either '3_TunnelAll' or '4_TunnelAll_2FA_Duo' in order to be compliant with grant award restrictions. As of Fall 2018 both your IPv4 and IPv6 traffic are sent back to campus.

The Office of Privacy and Information Assurance (OPIA) recommends the use of the Tunnel All profile from untrusted networks, such as unsecured wireless networks, coffee shops, hotels, and other potentially vulnerable networks. This way all of your network traffic is encrypted on the path between your computer and the campus network, helping to protect your data from snooping.

Problem: I cannot connect to Tunnel_All VPN and local server or printer without being disconnected.

Answer: You need to check the box in settings for 'Allow local (LAN) access when using VPN' in your settings. That should let you keep access to the local samba server while using Tunnel All.

VPN, Configuration for local LAN access

SplitTunnel_NoPrivateIP

The '5_SplitTunnel_NoPrivateIP' profile is used in the rare case that you need to use the features of SplitTunnel but also need to be able to connect to computers off-campus that are on Private IP addresses normally used on campus. The standard '1_SplitTunnel_(Default)' profile will send traffic meant for any university IP address, both the public addresses and private addresses, used on campus. Most of the time this will not interfere with your ability to use non-university resources. However a few Internet providers and businesses might be using the same parts of private IP space in such a way that '1_SplitTunnel_(Default)' will not work correctly. In that case you can use '3_TunnelAll' or '5_SplitTunnel_NoPrivateIP' to connect. See more about what IP ranges are in use on campus on the Guide to University of Illinois IP Spaces.
As of Fall 2018 both IPv4 and IPv6 traffic are supported by the VPN. Click here for more details on how exactly the IPv6 traffic is handled with Split Tunnel.

2FA_Duo (IT Pros and Secure Application Access)

See About UI Verify and 2FA for details on the University implementation of Two-factor authentication (2FA). Some campus IT Pros use Duo devices for two-factor authentication, as do some University Applications. If you want to use your Duo device along with the VPN authentication system, select one of the profiles that includes '_2FA' or 'Duo' in the name before you start the VPN connection. In the line below your password type in one of the following: 'push', 'phone', or 'SMS' to tell the VPN how you want Duo to contact you.

ReduceDisconnects

Cisco Anyconnect Vpn Ipv6 Password

The '7_SplitTunnel_ReduceDisconnects' profile is used when you are attempting to use the VPN from a congested or lossy network. The profile is designed to try and keep your VPN connection established even when you are experiencing brief network disruptions. This will not improve your overall network performance, but it will make it less likely that your VPN connection will be disconnected due to those network disruptions. Other than that, the profile is the same as the '1_SplitTunnel_(Default)' profile. Depending on some settings on your host operating system (related to TCP-Keepalives), it is possible that this profile will not work well. This limitation is the reason that it is not the default profile and it is only recommended in cases where the default profile has already been shown not to work well.

Why does the program default to SplitTunnel and not TunnelAll?

Tunnel All is required for library use, but usually slows people's network connection down for regular Internet use. Split Tunnel sends traffic for campus IP addresses to campus, but also lets all their traffic out to the Internet go straight to where it is going without the overhead of first encrypting it, then sending it to the university, having it unencrypted, and then sending it back out to the Internet. Then the response comes back to the University, get encrypted, and then sent back to their computer where it has to be unencrypted. That adds time, and the encryption process uses a lot of CPU power on their computer. It also sends all the traffic in and out of the University's Internet connection (multiple times) that otherwise doesn't need to be there, using a moderately expensive resource shared by all of campus.

Because of all the extra steps the data has to take with Tunnel All, most people have the best experience using the Internet and University resources at the same time with Split Tunnel.

Split Tunnel does let people connect to classroom servers, just not Library online resources. Classroom servers have University IP addresses, so the VPN sends that traffic to campus in either Split Tunnel or Tunnel All. The Library's online resources are located off-campus, and depend on checking your IP address to see if you are allowed to use them. That means the traffic must come from campus, so only Tunnel All works.


Cisco Anyconnect Vpn Ipv6 Download