Can no longer use Tunnelblick with AnyConnect over wireless
1,479 views
Skip to first unread message
mfebl...@gmail.com
Aug 11, 2016, 9:14:06 AM8/11/16
to tunnelblick-discuss
I'm having trouble with AnyConnect plus Tunnelblick.
I use AnyConnect to connect into the company intranet from home. I've been using Tunnelblick (OpenVPN) to connect *over the AnyConnect VPN* to connect to an internal cluster, through its firewall.
This has been working quite well for years (with the normal occasional glitches) but has never failed like this.
The usual behavior: Connect to the company VPN using AnyConnect; connect to the internal VPN using Tunnelblick. Anyconnect then "renegotiates" its connections, settles, and all is good. I can connect to the internal cluster via its VPN, through its firewall.
The abnormal behavior is this: I connect up to the company intranet using AnyConnect. I then connect to the internal cluster with Tunnelblick. That connection succeeds and in the process of the AnyConnect's renegotiation, AnyConnect fails, first reporting "Lost connection to VPN Service. Reattaching..." and then "Unable to contact the VPN service. Please restart the application."
No amount of trying to reconnect works until I disconnect the Tunnelblick connection (makes sense) and restart the AnyConnect application.
I have reinstalled AnyConnect, tried reinstalling Tunnelblick - both the stable version and the newer beta version. No difference.
I have grabbed two Cisco Dart reports - one with properly functioning VPN and the second with crashed VPN access - but don't know what to do with them.
This problem pretty much renders remote working impossible.
I don't know where to go next. I'd like to report this to Cisco Support but I don't know the corporate support contract number.
I can use the tedious multi-hop ssh tunneling, but really need to get the usual way to work again. Tunnelblick has been a great simplifier for this comples situation.
Update: This is confounding, but perhaps a hint: the whole sequence works fine when on a wire to my Comcast modem. It fails when connected via wireless. The Comcast wireless experts tried a few different "security" settings in the router but couldn't fix it. It would seem that there might be some port issue with the wireless router. Is this really a Comcast wireless issue or a Cisco issue?
Update 2: The same thing happens on Verizon WiFi as well.
Details: MacOSx 10.11.6, Tunnelblick Tunnelblick 3.6.5 (build 4566), AnyConnect v4.1.08005
I use AnyConnect to connect into the company intranet from home. I've been using Tunnelblick (OpenVPN) to connect *over the AnyConnect VPN* to connect to an internal cluster, through its firewall.
This has been working quite well for years (with the normal occasional glitches) but has never failed like this.
The usual behavior: Connect to the company VPN using AnyConnect; connect to the internal VPN using Tunnelblick. Anyconnect then "renegotiates" its connections, settles, and all is good. I can connect to the internal cluster via its VPN, through its firewall.
The abnormal behavior is this: I connect up to the company intranet using AnyConnect. I then connect to the internal cluster with Tunnelblick. That connection succeeds and in the process of the AnyConnect's renegotiation, AnyConnect fails, first reporting "Lost connection to VPN Service. Reattaching..." and then "Unable to contact the VPN service. Please restart the application."
No amount of trying to reconnect works until I disconnect the Tunnelblick connection (makes sense) and restart the AnyConnect application.
I have reinstalled AnyConnect, tried reinstalling Tunnelblick - both the stable version and the newer beta version. No difference.
I have grabbed two Cisco Dart reports - one with properly functioning VPN and the second with crashed VPN access - but don't know what to do with them.
This problem pretty much renders remote working impossible.
I don't know where to go next. I'd like to report this to Cisco Support but I don't know the corporate support contract number.
I can use the tedious multi-hop ssh tunneling, but really need to get the usual way to work again. Tunnelblick has been a great simplifier for this comples situation.
Update: This is confounding, but perhaps a hint: the whole sequence works fine when on a wire to my Comcast modem. It fails when connected via wireless. The Comcast wireless experts tried a few different "security" settings in the router but couldn't fix it. It would seem that there might be some port issue with the wireless router. Is this really a Comcast wireless issue or a Cisco issue?
Update 2: The same thing happens on Verizon WiFi as well.
Details: MacOSx 10.11.6, Tunnelblick Tunnelblick 3.6.5 (build 4566), AnyConnect v4.1.08005
Tunnelblick developer
Aug 11, 2016, 9:26:33 AM8/11/16
to tunnelblick-discuss, mfebl...@gmail.com
The abnormal behavior is this: I connect up to the company intranet using AnyConnect. I then connect to the internal cluster with Tunnelblick. That connection succeeds and in the process of the AnyConnect's renegotiation, AnyConnect fails, first reporting "Lost connection to VPN Service. Reattaching..." and then "Unable to contact the VPN service. Please restart the application."
When you say " in the process of the AnyConnect's renegotiation, AnyConnect fails", does that failure only happen on Wi-Fi, or also on wired connection? In other words, is AnyConnect supposed to renegotiate, and the renegotiation succeeds when using Ethernet but not when using Wi-Fi? Or does the renegotiation only happen when on Wi-Fi?
Can you simulate a Wi-Fi problem using Ethernet by simply disconnecting the Ethernet cable?
mfebl...@gmail.com
Aug 12, 2016, 3:36:07 PM8/12/16
to tunnelblick-discuss, mfebl...@gmail.com
That failure only happens on Wi-Fi. Any wifi.
At home, I can walk over to the router and plug in and everything works fine. AnyConnect is supposed to renegotiate, and the renegotiation succeeds when using Ethernet but not when using Wi-Fi.
I have tried the experiment you suggested:
- turn off wifi
- connect to ethernet port of same router
- start AnyConnect
- AnyConnect establishes connectivity
- connect tunnelblick
- AnyConnect shows activity and reconnects
- all is well
- disconnect ethernet
- AnyConnect and Tunnelblick both hanging, waiting for reconnection, for many minutes
- turn on wifi
- start AnyConnect
- AnyConnect establishes connectivity
- connect tunnelblick
- Tunnelblick connects (yes, it connects)
- AnyConnect shows activity and fails to reconnect; goes dead as described in my initial note.
This happens with any wifi router I try.
Thanks
mfebl...@gmail.com
Aug 12, 2016, 3:44:37 PM8/12/16
to tunnelblick-discuss, mfebl...@gmail.com
The failure only happens on Wi-Fi, not on
wired connection.
I tried to simulate the Wi-Fi problem using Ethernet by simply disconnecting the Ethernet cable. Here's what happens
In the wifi scenario:- disconnect from AnyConnect
- disconnect from wifi - home router
- connect to home router's ethernet port
- connect to AnyConnect - connects
- connect to tunnelblick - connects
- activity on AnyConnect, and then a reconnect
- all is well
- unplug the ethernet
- hangs for a very long time
- connect to wifi - home router
- connect to AnyConnect - connects
- connect to tunnelblick - connects
- activity on AnyConnect, and then an immediate failure to reconnect
- tunnelblick appears to be connected, but AnyConnect won't reconnect and requires quit and restart, after disconnecting from tunnelblick
Tunnelblick developer
Aug 12, 2016, 4:10:18 PM8/12/16
to tunnelblick-discuss, mfebl...@gmail.com
You are connecting one VPN via Tunnelblick inside of another VPN (via AnyConnect). That is very tricky to set up, but it must have been set up correctly at one time since it worked for you for many years. Since it was working, any or all of several things have probably changed: your version of OS X, your version of AnyConnect, and your version of Tunnelblick, and the router that you connect to the Internet with.
This isn't the sort of thing that I can debug, since I don't have AnyConnect. And it seems that AnyConnect is the problem, since it is AnyConnect that hangs.
When I wrote suggesting that you could "simulate a Wi-Fi problem using Ethernet by simply disconnecting the Ethernet cable", I meant (and should have said directly) that you could disconnect the cable, and then reconnect it, to simulate a temporary Wi-Fi problem. If you disconnect from the Internet, OpenVPN may (depending on the configuration) just keep trying to reconnect. So when you say it "hangs for a very long time", and if by "it" you mean the connection, that is to be expected. But Tunnelblick shouldn't hang in the sense of not responding to clicks.
mfebl...@gmail.com
Aug 25, 2016, 5:43:04 PM8/25/16
to tunnelblick-discuss, mfebl...@gmail.com
Ok - a followup to this issue, finally resolved, with the help of a colleague.
The problem was resolved by changing the Tunnelblick settings, whichi might have been reset during a reinstallation?
His settings were as follows:
and mine were as follows:
I aligned mine with his and now all is well.
So, there's something in one of these settings (three are different) that interferes with tunnelblick's interaction with AnyConnect.
If anybody wants me to, I can try to narrow to the one (or combination) that breaks it.
Mark
The problem was resolved by changing the Tunnelblick settings, whichi might have been reset during a reinstallation?
His settings were as follows:
and mine were as follows:
I aligned mine with his and now all is well.
So, there's something in one of these settings (three are different) that interferes with tunnelblick's interaction with AnyConnect.
If anybody wants me to, I can try to narrow to the one (or combination) that breaks it.
Mark
Tunnelblick developer
Aug 25, 2016, 6:10:22 PM8/25/16
to tunnelblick-discuss, mfebl...@gmail.com
Thanks for the follow-up. Most likely the problem was your "Set nameserver (3.1)" setting.
Reply all
Reply to author
Forward
0 new messages