sharing drive throws firewall block error with windows native docker when cisco anyconnect VPN is ON

[sugun999]

Expected Behaviour:

Filesharing should work even corporate cisco anyconnect VPN is ON

Actual behaviour:

Sharing drive C fails by throwing firewall block detected error

Information:

Installed native docker on windows 10 enterprise version 10.0.14393 Also, F-secure is installed on my laptop and opened necessary network firewall openings with f-secure (to allow all traffic between 10.0.75.1 & 10.0.75.2) Everything works fine as long as the corporate cisco anyconnect VPN is NOT ON.

But as soon as corporate cisco anyconnect vpn is ON, sharing drive C fails by throwing firewall detected error.

As you know, when switching to corporate cisco anyconnect vpn, routing tables gets modified and it looks that filesharing is not working.

Is there any hack for this issue?

[johnrb2]

I have the same problem.

When I run "docker run --rm -v c:/Users:/data alpine ls /data" while Cisco AnyConnect Secure Mobility Client Version 4.3.02039 is logged in. I get this back.

C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Error response from daemon: mkdir /c: file exists.

Diag ID: 8CFF8C5F-5384-42B5-BDB0-704D32546F3D/2016-12-29_12-09-25

[stuft2]

Me too.

[simonferquel]

Hi, which version of Docker for Windows are you using ? can you try latest beta ?

[sugun999]

Hi Simonferquel,

Thanks for the reply. I tried with both stable channel (1.12.5) & beta channel (1.13.0-rc4) and the end result is the same error which is "Firewall blocking file sharing between windows and the container. See documentation for more info"

Please note that all "file and printer sharing" inbound rules of windows firewall settings are enabled for private, public and domain profiles on my laptop. And also, windows firewall is turned off for all private, public and domain profiles.

Please help us troubleshooting this issue.

[johnrb2]

Okay so what I have found out from Glen Sawyer that the vpn doesn't like the IP using 10.0.75.1 most likely because it is used by the business already.

You need to change the network to 192.168.X.X

[NOTE: You may need to play around with the number so it doesn't interfere with your home network]

[sugun999]

Hi,

Thanks for the info. Instead of trying all the numbers (1-254) for IP part, is there any specific rule/criteria in choosing the number, so that it works?

[johnrb2]

You just don't want it to be one that is already in use by something else.

My friend says he doesn't use 192.168.1.X for his because it is used for his network devices at home.

http://trendblog.net/ever-wondered-use-192-168-x-x-ip-addresses-home/

[sugun999]

Hi,

I tried with several free network IPs but still docker throws same error when trying to share C drive.

[johnrb2]

I had to get a computer with an operating system that was the full version of Windows 10 Pro instead of the companies modified version of Windows 10 and my computer had to be off the company's domain. It could be an issue with that. I am not an official docker worker. But I would suggest trying docker for windows beta and see if it fixes it and uploading a diagnostic file and copy and sharing the reference with your issue.

[friism]

@johnrb2 thanks for following up - it'd be very useful for us to learn what exactly blocked Docker on a normally configured machine.

[sugun999]

Hi Docker team, Any workaround to get sharing drive works even with cisco anyconnect vpn?

[friism]

@sugun999 if possible, can you upload a diagnostic dump from the app and post the id here?

[sugun999]

Hi friism,

Thanks for the reply. Before sending dump, Could you please let me know, what diagnostic report contains? Will the docker collects any security info?

[friism]

@sugun999 the diagnostic dump is pretty comprehensive to help us fully debug problems on user systems. Access to the dumps is limited to engineers working on Docker for Mac and Windows, and we handle the dumps with care.

If you're not comfortable using the diagnostic feature, please access the logs after encountering this problem, remove any sensitive info and paste the relevant log snippet in this issue.

[sugun999]

HI Friism,

Below is log excerpt which is logged when trying to share drive C. Please note that F-secure software with my laptop, is not blocking anything. I added rule to allow all traffic from any IPv4 which is working without VPN.

Could you please take a look at this and provide solution for this issue why filesharing doesn't work with VPN?

log_excerpt.txt

[simonferquel]

From the log, I see that you changed the IP settings of the VM (it says your host has IP 192.168.230.1, so your VM should have 192.168.230.2). From the following lines, I see that the VM cannot reach port 445 on 192.168.230.1. By any chance, can you make sure that the IP settings you chose do not conflict with the VPN connection IP ? (or just dump your ipconfig /all here)

[sugun999]

Hi Simonferquel,

Before or after opening VPN, I do see that "Ethernet adapter vEthernet (DockerNAT) 2" has

IPv4 Address. . . . . . . . . . . : 192.168.230.1(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0

Ofcourse there is new virtual adapter gets created with VPN is ON and it gets own IPv4 address 141.19x.xxx.xxx which is not conflicting with above docker Ethernet adapter IP address.

[sugun999]

Hi,

Any ideas?

[simonferquel]

Unfortunately no. It seems that Cisco AnyConnect include some kind of firewall blocking port 445. We'll need to investigate more thoroughly, but we need the proper Cisco infrastructure to test it.

[stuft2]

I did what @johnrb2 did and it worked just fine for me. I don't think Cicso anyConnect has to block port 445 to work properly. If it did, then it wouldn't be working for me or johnrb2.

[sugun999]

Hi SpencerTuft,

Could you please let me know, what is subnet address/mask you tried?

[stuft2]

@sugun999, You may have an issue with your vpn settings and not the subnet addresses.

[sugun999]

Yes, I understood that it is specific our vpn. Hence closing this

[rn]

@sugun999 We obviously would like to work in environments with VPNs etc but unfortunately we have very little control over the VPN settings. We are looking into other options for filesharing which do not required the current network based setup but have not found a suitable replacement yet.

[libsamek]

Thanks for this issue! It made me realize, that's it a routing problem. VPN clients usually add static routes, for example 10.0.0.0/8. That was routed to our corp network.

I solved the issue by using address space, which isn't used in our corp network, for example something from 172.16.0.0 - 172.31.255.255.

So for anyone experiencing same problems, check your routing tables first and than do the correct addressing based on that :)

[lucastheisen]

@sugun999 , did you ever find a workaround? I am also stuck behind Cisco AnyConnect. When I suspend the VPN i can mount the shared drive without issue. But as soon as I start the VPN back up, it fails again...

[pitaman71]

Same here

[oneut]

I had the same problem when cisco anyconnect VPN is ON.

I thought that there was a problem with the virtual switch. After recreating the virtual switch with the connection to the VPN, shared drive has been activated 😃

Settings > Reset > Reset to factory defaults

However, it takes time to build image by Reset to factory defaults 😢

[oneut]

Sorry, I still did not move. it was my misunderstanding 😢

[bartlomiejcieszkowski]

I've encountered the same issue, it seems that changing ip range to different than 10.0.0.0 family helps, so the docker container with -v/c/some/path:/root/somewhereelse mounts, but the firewall kicks in blocking 445 port - and disabling the firewall is a no go solution in corporate environments - would it be possible to add an option to change the port used by mount service?

[vamsitekuru]

I am still facing the same issue with CISCO VPN . is there any alternative than changing IP from default (10.0.x.x) to some thing else ..

[jdileonardo]

If you Open up AnyConnect on Windows, go into VPN -> Route Details, you may have an entry under the heading "Non-Secured Routes")

Take that Address/Mask combination, and put it under Docker's Settings -> Network -> Internal Virtual Switch

E.g if under "Non-Secured Routes: you have 123.456.0.0/16 then under "Internal Virtual Switch" have your Subnet Address as "123.456.0.0" and your Subnet Mask as "255.255.255.0"

[jdileonardo]

For Linux, i think the following applies.

Configure the default bridge network

To configure the default bridge network, you specify options in daemon.json. Here is an example daemon.json with several options specified. Only specify the settings you need to customize.

{
  "bip": "192.168.1.5/24",
  "fixed-cidr": "192.168.1.5/25",
  "fixed-cidr-v6": "2001:db8::/64",
  "mtu": 1500,
  "default-gateway": "10.20.1.1",
  "default-gateway-v6": "2001:db8:abcd::89",
  "dns": ["10.20.1.2","10.20.1.3"]
}

https://docs.docker.com/network/bridge/#connect-a-container-to-the-default-bridge-network

Haven't tried it yet.

[lucastheisen]

@DiJu519 , the problem (for many of us) is that "Secured Routes" is set to 0.0.0.0/0. So no dice there.

[kamkie]

maybe there is option to use hyper-v socket for file sharing?

[jrbecart]

I don`t know why this issue was closed... The problem is still here.

[lucastheisen]

The only way i see around this would be to route the SMB/CIFS traffic through the npipe tunnel like they do for publishing ports. Our VPN is configured at the corporate level to capture all ip traffic 0.0.0.0 which includes the reserved ranges. I would really love to see the SMB/CIFS npipe routing, but think it may be to much of a boundary case to expect anyone else to implement it... (though i imagine there may be many other corporate VPN's that do the same thing...)

[jrbecart]

Solution that works for my case are (from previous suggestions):

• Ask for example this list of ip to be added in non-secured routes in the cisco anyconnect profile: 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

• Use OpenConnect

[los93sol]

Bump, please consider changing the way this works so that it works for those of us in these scenarios

[bdwyertech]

If there was a way to override the destination address for SMB protocol from the Docker daemon, it would likely get around the secured route issue. You'd set it to the Cisco virtual adapters IP address and all the woes would likely go away as the restrictions apply to local IP's. AnyConnect babysits the local routing table metrics and makes sure everything flows out the virtual adapter, hence if the SMB destination was the AnyConnect adapter IP address, SMB would work.

[los93sol]

Interesting...similar to others mine secures 0.0.0.0/0 and when looking at the routing tables I can see it literally overrides everything. Can you explain a bit more or point me to some documentation how routing SMB from Docker to AnyConnects virtual address would work in that scenario? I’m interested to stage some tests while running a pcap to better understand.

[bdwyertech]

I don't have any documentation to point to, however I use this method when working remotely to allow certain tools to work... Take Packer as an example, it throws up a web server to serve up kickstart files. I noticed it didn't work when allowing Packer to choose the IP (typically my WiFi adapter), however inserting my Cisco AnyConnect adapters IP address in there made it work fine. I've also used this previously with Vagrant on VMware, which uses NFS/SMB for file sharing.

If you think about it, the network restrictions force everything out of that interface; its a catch all route with the best metric. Being that your laptop has an IP on the forced egress interface, if you bind all, e.g. bind to 0.0.0.0, then you're also listening on that interface and can communicate properly on it. With AnyConnect enabled, you've either got to use its IP or 127.0.0.1, and localhost is not routable so that leaves only a single option...

[julianiacoponi]

Please can this be re-opened and addressed :) or at least figure some other way of running docker natively on windows with mounted volumes, whilst behind Cisco AnyConnect.

[kamkie]

there is new version of Cisco AnyConnect 4.7 (it is using windows vpn infrastructure) in windows store, i will test that this weekend

[j0rdiun]

I have a suggested 'fix' for this please follow instructions below:-

• Within your docker settings uncheck "Start docker desktop when you log in"
• Restart Machine
• Now that machine is restarted open settings in Cisco anyconnect
• Go to networks and then in the top right where all your network connections are listed click the arrow pointing to the right (Sorry i don't have screen shots) this should show a drop down with enable and disable click disable
• Now start docker
• Docker should now start and run the daemon this time.
• Now spin up your container
• Go back in to your Cisco any connect settings and enable the networking again
• Your container should stay open and you should be able to access the ports all fine

All in all the issue i believe happens is the cisco anyconnect VPN controls all network adapters and docker cant own one so by briefly disabling the VPN to allow docker daemon to establish a connection this should fix your issues running docker along side the VPN this step has to be reproduced ever restart!

[kamkie]

https://www.microsoft.com/en-us/p/anyconnect/9wzdncrdj8lh using this version of Cisco AnyConnect i can use volumes when connected to VPN

[julianiacoponi]

Thanks! I unfortunately use a non-microsoft store copy of AnyConnect and cannot find how to update my version from 4.6.03049 to 4.7+ ... any advice on how to do this appreciated! (Although I myself appreciate this is not relevant to this bug).

In the meantime, @Jordaanwatson I will try your method. However,I don't seem to have a "Networks" section in my AnyConnect settings?

[j0rdiun]

@julianiacoponi Your version is very close to the one i use if im not at my work machine at the moment but if you can find there it lists your networks or even just find where you can disable the VPN and re enable once you have docker started and a container running. Let me know how you get on!

[jeffjwills]

I also have this issue, I normally just kill Cisco to get around it but I can’t always do that. This issue is preventing me from recommending Docker to my organisation which is a shame.

Tried the Windows Store version of AnyConnect (4.7+) makes no difference for me.

Tried Jordaanwatson’s solution to disable Cisco, start a Docker VM, then enable Cisco but this doesn’t work for me.

I am going to try getting some IP ranges added to the non-secured routes.

I am also going to try OpenConnect to see if it works but this is not a solution I can let anyone else use as AnyConnect is Corporate Policy.

Fingers crossed enough people have this issue and a new version of Docker will have a workaround!

[asinoai]

Had the same problem; to solve it, I switched to OpenConnect (https://github.com/openconnect/openconnect-gui/releases/tag/v1.5.3) as mentioned already, but also had to add to the docker deamon's config file the following: "bip" : "192.168.1.5/24", because the default was clashing with existing IPs (https://docs.docker.com/v17.09/engine/userguide/networking/default_network/custom-docker0/)