Cannot connect to computers over Anyconnect VPN with fedora 33

Since the conflict is with libvirt, maybe something changed with libvirt? That’s my best guess. Anyway, it looks like Vladislav will help you hammer your way to a workaround. Good luck.

1 Like

Here’s the information while connected to the VPN:

$ ip route show
default dev tun0 scope link 
default via 192.168.0.1 dev enp4s0 proto dhcp metric 100 
4.31.13.10 via 192.168.0.1 dev enp4s0 src 192.168.0.106 
192.168.0.0/24 dev enp4s0 proto kernel scope link src 192.168.0.106 metric 100 
192.168.70.0/23 dev tun0 scope link 
192.168.222.0/24 dev virbr0 proto kernel scope link src 192.168.222.1 linkdown

$ ip route get 104.196.x.x
104.196.x.x dev tun0 src 192.168.70.82 uid 1000 
    cache

192.168.70.82 is the IP address of tun0

$ ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1200
        inet 192.168.70.82  netmask 255.255.255.255  destination 192.168.70.82
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 18  bytes 2008 (1.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 326  bytes 29505 (28.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

For comparison here is ip route show; ip route get … when disconnected from the VPN:

$ ip route show
default via 192.168.0.1 dev enp4s0 
default via 192.168.0.1 dev enp4s0 proto dhcp metric 100 
192.168.0.0/24 dev enp4s0 proto kernel scope link src 192.168.0.106 metric 100 
192.168.222.0/24 dev virbr0 proto kernel scope link src 192.168.222.1 linkdown

$ ip route get 104.196.x.x
104.196.x.x via 192.168.0.1 dev enp4s0 src 192.168.0.106 uid 1000 
    cache

With 192.168.0.106 the IP address of the wired interface.

Thanks for your help.
-Mike

1 Like

Can you access/ping the target domain when the VPN is disconnected?
Since the domain has a public IP address, it should be reachable without VPN.

Also, verify that your VPN is working properly using ipleak.net or ipv6-test.com.
The sites should show a new IP when you are connected to the VPN.

Yes, public sites in my work domain are accessible without the VPN. That has not been the issue.

I cannot access these sites when I’m connected to the VPN. I have not been able to access any internet sites when connected to the VPN.

When I disconnect from the VPN this error message pops up:
Error: argument "via" is wrong: use nexthop syntax to specify multiple via

Which I have found could mean that there are two routes specified with equal weight. Is this related to the “metric” you were pointing out earlier? If so, I tried to find out how to change it but have not found the answer.

-Mike

Corporate VPNs often restrict routing/forwarding.
Perhaps your VPN allows to access only specific subnets such as this one:

So, try to disable default gateway redirection in the VPN connection settings:

nmcli connection show
nmcli connection modify id VPN_CON ipv4.never-default yes ipv6.never-default yes
nmcli connection down id VPN_CON
nmcli connection up id VPN_CON

Yes, and mine does, but not to their own servers!

I tried the instructions to disable the default gateway and it didn’t make any difference.

Along with your suggestions, I have been doing my own research and while there are indications others are having problems, there has been no definitive solutions. I feel like I’m hitting a wall :(.

-Mike

Establish the VPN connection and check:

ip route get 1; nmcli connection show

Results:

$ ip route get 1; nmcli connection show
1.0.0.0 dev tun0 src 192.168.70.108 uid 1000 
    cache 
NAME                       UUID                                  TYPE      DEVICE 
802-3-ethernet connection  3663eb8d-2ab1-4e2f-b003-073d0d7804ae  ethernet  enp4s0 
tun0                       f5799762-a041-4d4a-aefe-d2847fa45e66  tun       tun0   
virbr0                     754d3f57-b951-48d3-8eb7-9e1b6b0a9ec1  bridge    virbr0 
tun0                       681238ee-d719-4e7a-a834-043d13d9fadb  tun       --
1 Like

What VPN protocol are you currently using?
What method have used to configure the connection?

There are 2 different connections with the same name.
Remove/rename the duplicate connection.

anyconnect

I’m running on the command line sudo openconnect --protocol=anyconnect ...
I have no idea why there are two connections with the same name. Nothing is configured in the Settings GUI for a VPN. I’m looking …

Even after deleting the duplicate connection, the results are the same.

As you have a working Fedora 32 around, please try this:

For those server names you need to access when VPN is up, find out their IP address using a working VPN connection.

Then in the new setup, try access using IP instead of domain names.

This step will help to separate DNS issues to compound with the Routing issues, if there are any.

Do the same for public sites.

I have a working F29 not F32. Nonetheless, DNS (I think) is working because the correct IP is returned but I cannot access just using the IP.

For example,

$ ping <ip address>
--- <ip address> ping statistics ---
30 packets transmitted, 0 received, 100% packet loss, time 29709ms
1 Like

Try this way, one of them should work:

sudo dnf install NetworkManager-openconnect
nmcli connection import type openconnect file /path/to/vpn.conf

sudo dnf install NetworkManager-vpnc
nmcli connection import type vpnc file /path/to/vpn.conf

Once the config is imported to NetworkManager, you can change it as mentioned above.

I don’t know where to find a “vpn.conf” file. The only file I could find from Cisco Anyconnect is ~/.anyconnect. When I try the nmcli command I get this error:

Error: failed to import '.anyconnect': does not look like a Multi-protocol VPN client (openconnect) VPN connection (parse failed).

Can you post the file content redacting the private parts?
We need to understand what we are dealing with.

If you cannot open it with text editor, check the type:

file ~/.anyconnect

Not a problem. Here you go:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>mike@work.com</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>vpn.work.com</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences>
<AutoConnectOnStart>true</AutoConnectOnStart>
<LocalLanAccess>false</LocalLanAccess>
<BlockUntrustedServers>false</BlockUntrustedServers>
<EnableAutomaticServerSelection>false</EnableAutomaticServerSelection>
<MinimizeOnConnect>true</MinimizeOnConnect></ControllablePreferences>
</AnyConnectPreferences>

Thanks. I really appreciate the continued help with this.
Mike

2 Likes

I think the simplest workaround would be something like this:

nmcli connection modify uuid 3663eb8d-2ab1-4e2f-b003-073d0d7804ae \
ipv4.routes "0.0.0.0/1 192.168.0.1, 128.0.0.0/1 192.168.0.1"
nmcli connection up uuid 3663eb8d-2ab1-4e2f-b003-073d0d7804ae

Still unable to access any company servers while connected to the VPN. However, I am able to access internet sites such as this one, google, etc. So that is an improvement.

Mike

1 Like

Seems no routing configurations are there.

One way to find out is to compare the routing table and DNS used before and after the connection, to see what is being changed by Anyconnect.

1 Like