8 Replies Latest reply on Mar 28, 2016 1:01 PM by jacoadam

    Sandbox VPN Access: Lose Local LAN access once connected

    dmcsweeney1

      Hi-

       

      The Sandbox FAQ indicates that Split tunnelling is enabled on the VPN so only traffic destined for the lab will transverse the tunnel. All other traffic, including internet and LAN, will remain local.

       

      I'm not experiencing this in my Sandbox, I lose access to my local LAN resources when I connect. 

       

      BTW, my AnyConnect client is configured to allow local LAN access when using VPN. 


      Perhaps this is just coincidental, but before the maintenance window last month, I was not experiencing this issue when using a sandbox.

       

      Thanks in advance for any guidance.

       

      Dave

        • 1. Re: Sandbox VPN Access: Lose Local LAN access once connected
          jacoadam

          Hey Dave!

           

          Thanks for the reply! This is very interesting, we have not been seeing any issues with Split Tunneling. Could you attach a screen shot of the routing table for split tunneling from AnyConnect? To do that, while connected to the lab VPN, select the 'gear' logo at the bottom left side. Then Select the route deails. It should look something like the attached screenshot!

          Route Details.PNG

          Thanks!

          Jacob

          • 2. Re: Sandbox VPN Access: Lose Local LAN access once connected
            dmcsweeney1

            Hi Jacob - I'm attaching the screenshot.    Thanks for taking a look.  Upon further inspection, I realized that I do have connectivity to the IP addresses in my local network, it's just that the hostname resolution stops working (which effectively makes several applications that depend on hostname to stop functioning)

             

            Best - Dave

             

            DaScreen Shot 2015-05-11 at 5.01.54 PM.png

            • 3. Re: Sandbox VPN Access: Lose Local LAN access once connected
              jacoadam

              Ahhhh, I see. Sounds like a DNS configuration issue. When connected to VPN, the ASA headend will typically hand out the DNS address from your lab. While this will still allow access to the outside world, all local hostname lookups would be lost. Check your IP configuration, make sure your internal DNS server is set as primary on the local NIC and VPN adapter. This should ensure all hostname lookups go to your internal server first, and if they're not found there go to ours (configured as secondary).

               

              Please let me know if this helps out!

               

              Thanks,

              Jacob

              • 4. Re: Sandbox VPN Access: Lose Local LAN access once connected
                dmcsweeney1

                Hi Jacob-

                Thanks very much for writing back!  I understand your suggestion, and it makes sense, I'm just struggling on how to make the modifications.  I'm on a MAC and am running the Cisco AnyConnect application (Version 4.0.00061). The AnyConnect client runs as a standalone app and doesn't appear at all in my list of Network adapters/option types.   Therefore I'm at a loss as to how to configure the AnyConnect's DNS server (which I don't see at all in any of the settings on AnyConnect) as a secondary option.

                 

                Thanks

                Dave

                • 5. Re: Sandbox VPN Access: Lose Local LAN access once connected
                  jacoadam

                  Hmmm yes,

                   

                  I looked at my colleague's MAC and can see that the virtual adapter was not showing up there. Could you try running the 'ifconfig' command at the terminal? This should give us a better understanding of what's going on at the backend! Make sure you're connected to the VPN before you run this command.

                   

                  Thanks,

                  Jacob

                  • 6. Re: Sandbox VPN Access: Lose Local LAN access once connected
                    dmcsweeney1

                    Hi Jacob-

                     

                    Sure thing!  Here's the output of ifconfig

                     

                     

                    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

                      options=3<RXCSUM,TXCSUM>

                      inet6 ::1 prefixlen 128

                      inet 127.0.0.1 netmask 0xff000000

                      inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

                      nd6 options=1<PERFORMNUD>

                    gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

                    stf0: flags=0<> mtu 1280

                    en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

                      ether 60:f8:1d:b7:2e:36

                      inet6 fe80::62f8:1dff:feb7:2e36%en0 prefixlen 64 scopeid 0x4

                      inet 10.70.101.129 netmask 0xfffffc00 broadcast 10.70.103.255

                      nd6 options=1<PERFORMNUD>

                      media: autoselect

                      status: active

                    en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

                      options=60<TSO4,TSO6>

                      ether 72:00:07:a2:15:70

                      media: autoselect <full-duplex>

                      status: inactive

                    en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

                      options=60<TSO4,TSO6>

                      ether 72:00:07:a2:15:71

                      media: autoselect <full-duplex>

                      status: inactive

                    p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304

                      ether 02:f8:1d:b7:2e:36

                      media: autoselect

                      status: inactive

                    awdl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1452

                      ether 32:e1:58:93:ac:ae

                      inet6 fe80::30e1:58ff:fe93:acae%awdl0 prefixlen 64 scopeid 0x8

                      nd6 options=1<PERFORMNUD>

                      media: autoselect

                      status: active

                    bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

                      options=63<RXCSUM,TXCSUM,TSO4,TSO6>

                      ether 62:f8:1d:7b:d4:00

                      Configuration:

                      id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0

                      maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200

                      root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0

                      ipfilter disabled flags 0x2

                      member: en1 flags=3<LEARNING,DISCOVER>

                              ifmaxaddr 0 port 5 priority 0 path cost 0

                      member: en2 flags=3<LEARNING,DISCOVER>

                              ifmaxaddr 0 port 6 priority 0 path cost 0

                      nd6 options=1<PERFORMNUD>

                      media: <unknown type>

                      status: inactive

                    en3: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

                      options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>

                      ether ac:87:a3:14:43:fc

                      inet6 fe80::ae87:a3ff:fe14:43fc%en3 prefixlen 64 scopeid 0xb

                      inet 10.70.23.12 netmask 0xffffff00 broadcast 10.70.23.255

                      nd6 options=1<PERFORMNUD>

                      media: autoselect (1000baseT <full-duplex,flow-control>)

                      status: active

                    utun0: flags=80d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1399

                      inet 192.168.213.30 --> 192.168.213.30 netmask 0xffffff00

                      inet6 fe80::62f8:1dff:feb7:2e36%utun0 prefixlen 64 scopeid 0xa

                      inet6 fe80::cc6e:4412:5b5b:2ada%utun0 prefixlen 128 scopeid 0xa

                      nd6 options=1<PERFORMNUD>

                    • 7. Re: Sandbox VPN Access: Lose Local LAN access once connected
                      cokaiser

                      I'm having the same issues on my macbook.. The session comes up and then disconnects.  I get this message.

                       

                      "The client's MTU configuration sent from the secure gateway is too small.  A value of at least 1280 is required in order to tunnel IPv6 traffic.  Please contact your network administrator."

                      • 8. Re: Sandbox VPN Access: Lose Local LAN access once connected
                        jacoadam

                        Hello Cokaiser-

                         

                        Could you let me know what VPN/lab you are trying to connect to? When connected could you open on AnyConnect, click on the "gear," the go take a screenshot of "route details" and post it as a reply?

                         

                        Thanks!

                        Jacob