wsl 2 ubuntu 18.04 unable to connect to IP resources with Cisco Annyconnect active

[eclay11]

Please fill out the below information:

• Your Windows build number: (Type ver at a Windows Command Prompt) Microsoft Windows [Version 10.0.18932.1000]

• What you're doing and what's happening: (Copy&paste the full set of specific command-line steps necessary to reproduce the behavior, and their output. Include screen shots if that helps demonstrate the problem.) I've installed ubuntu 18.04 and converted it to wsl v2 using the following command in windows powershell running as administrator. PS C:\WINDOWS\system32> wsl --set-version Ubuntu-18.04 2

When I start the Ubuntuu 18.04 instance I'm able to communicate with resources using IPs and hostnames.

eclay@wh-lpt-eclay:$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=115 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=95.4 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=49 time=77.3 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=49 time=92.6 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=49 time=90.6 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=49 time=78.9 ms 64 bytes from 8.8.8.8: icmp_seq=7 ttl=49 time=84.1 ms 64 bytes from 8.8.8.8: icmp_seq=8 ttl=49 time=90.9 ms 64 bytes from 8.8.8.8: icmp_seq=9 ttl=49 time=80.7 ms 64 bytes from 8.8.8.8: icmp_seq=10 ttl=49 time=80.0 ms ^C --- 8.8.8.8 ping statistics --- 10 packets transmitted, 10 received, 0% packet loss, time 9081ms rtt min/avg/max/mdev = 77.316/88.602/115.084/10.734 ms eclay@wh-lpt-eclay:~$ trace tracepath traceroute6 traceroute6.iputils tracerpt.exe eclay@wh-lpt-eclay:$ tracepath 8.8.8.8 1?: [LOCALHOST] pmtu 1500 1: wh-lpt-eclay.mshome.net 0.497ms 1: wh-lpt-eclay.mshome.net 0.379ms 2: 10.179.10.1 2.890ms 3: 192.168.1.1 8.474ms 4: 192.168.1.1 10.395ms pmtu 1430 4: 172.26.96.161 71.223ms 5: 172.18.84.36 73.898ms asymm 6 6: 12.249.2.25 73.083ms asymm 7 7: 12.122.146.97 96.016ms asymm 14 8: 12.122.111.33 95.857ms asymm 13 9: sffca22crs.ip.att.net 95.209ms asymm 12 10: 12.122.163.61 90.288ms asymm 11 11: 12.255.10.236 103.555ms asymm 15 12: no reply 13: no reply 14: no reply 15: no reply 16: no reply 17: no reply 18: no reply 19: no reply 20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply Too many hops: pmtu 1430 Resume: pmtu 1430

Once I connect to my work VPN using cisco annyconnect client v 4.7.00136 I'm not longer able to connect to IP resources.

eclay@wh-lpt-eclay:$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ^C --- 8.8.8.8 ping statistics --- 8 packets transmitted, 0 received, 100% packet loss, time 7277ms

eclay@wh-lpt-eclay:$ tracepath 8.8.8.8 1?: [LOCALHOST] pmtu 1430 1: ??? 0.362ms 1: ??? 0.364ms 2: ??? 0.392ms pmtu 1200 2: no reply 3: no reply 4: no reply 5: no reply 6: no reply 7: no reply 8: no reply 9: no reply 10: no reply 11: no reply 12: no reply 13: no reply 14: no reply 15: no reply 16: no reply 17: no reply 18: no reply 19: no reply 20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply Too many hops: pmtu 1200 Resume: pmtu 1200

• What's wrong / what should be happening instead: I should be able to ping 8.8.8.8 or other outside IPs once the annyconnect vpn client is running.

[beejaz]

For anyone having problems with Cisco AnyConnect, using either the Cisco AnyConnect from Windows Store (now supports 2FA, as jamespotz said) worked for me after I rebooted computer (didnt work first time I tried it).

Also, as an alternative, using OpenConnect (which supports Cisco AnyConnect) windows 10 client https://github.com/openconnect/openconnect-gui/releases/tag/v1.5.3 also works for me (with 2fa) for DNS resolving, connectivity etc.

If you dont need the VPN in Windows and only in WSL2 env, you can install OpenConnect in WSL2 and connect to VPN with: sudo openconnect --no-dtls -b -u your_username vpn.hostname.domain

It will create a working VPN connection in WSL2 env.

[NiklasBr]

Which version is available in the Windows Store?

[sumitkumarm]

The OpenConnect command line approach works nicely with WSL 2 (not with WSL 1), but suffers from the same speed limitation that the Window Store Cisco AnyConnection app does. Any way we can remove bandwidth limits?

[beejaz]

Which version is available in the Windows Store?

I used 4.7.20031

[FabiusChiang]

For anyone having problems with Cisco AnyConnect, using either the Cisco AnyConnect from Windows Store (now supports 2FA, as jamespotz said) worked for me after I rebooted computer (didnt work first time I tried it).

Also, as an alternative, using OpenConnect (which supports Cisco AnyConnect) windows 10 client https://github.com/openconnect/openconnect-gui/releases/tag/v1.5.3 also works for me (with 2fa) for DNS resolving, connectivity etc.

If you dont need the VPN in Windows and only in WSL2 env, you can install OpenConnect in WSL2 and connect to VPN with: sudo openconnect --no-dtls -b -u your_username vpn.hostname.domain

It will create a working VPN connection in WSL2 env.

Saved my WSL!

[cdunford]

@craigloewen-msft is there any update on this issue? It has been more than a year, and the workarounds are not feasible for everyone.

[craigloewen-msft]

We're working on improving WSL 2's networking story which should help with this use case (more details coming soon!). As well, we (Microsoft) have worked with Cisco to help resolve some of these issues, I believe the latest version in the Microsoft store has these fixes, I'll try and look internally to see if I can get the latest updates here.

[vnijs]

@craigloewen-msft I can confirm that the version of anyconnect on the windows store works with WSL2. Did something change recently to allow more than 10MB up and download speeds? That was still an issue a while back.

[matheuscanela]

@craigloewen-msft thanks for the update. Is there any changelog link that we can keep following? I stopped using WSL2 due to that problem, but I am happy to re-consider once that bug is fixed.

[cdunford]

@craigloewen-msft - thanks for the update. Unfortunately, I am governed by enterprise software distribution which pushes AnyConnect to me - I am running 4.9.01095 which sounds like it is newer than what others have had from the store, and I still see these problems.

[grtrout]

@sakai135 Thanks so much for your contributions here. I initially solved my issue by using a different VPN client, but my company has since restricted my using it (I'm guessing I showed up on an audit...). Anyway, I was just about to give up on this, but I found your solution and was shocked at how well it worked.

I do, however, still have some issues. First, in order to get WSL2 to connect to the internet when I am not using VPN, I have to change the value in /etc/resolv.conf back to something like 1.1.1.1 or 8.8.8.8. This isn't a huge deal, but is it expected behavior?

More seriously, once I am not using VPN, I absolutely cannot get Docker to work. When using VPN, I have to use a corporate proxy. So, I changed the proxy settings (i.e., removed the settings), restarted Docker, even shutdown WSL, but still I'm not able to connect. Any thoughts?

$ docker run hello-world
Unable to find image 'hello-world:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).
See 'docker run --help'.

[craigloewen-msft]

We have the official WSL change log here on our docs which you can follow to see any changes that we implement. I'll be pinging this thread when we have an updated networking story for y'all to try and see if it can help resolve some of these issues.

[sakai135]

@grtrout I'm glad you're finding use out of the script. The script has been updated thanks to @chinkung to automatically set/unset the DNS settings in resolv.conf now, so once you update, the script will restore the settings you had before when stopping the script. I think that should resolve that issue. It was expected behavior, but the inconvenience never really hit me since my machine is constantly connected to the VPN. Please feel free to open an issue or PR on my repo if you have any questions or suggestions.

If you are using Docker for Windows, the Docker daemon runs in a separate environment controlled by Docker for Windows that uses its own instance of vpnkit. Setting your DNS server manually in the Docker for Windows setting might resolve your issue.

[FredrikLiindgren]

Was hyped for the docker integration when my corporation rolled out a WSL2 compatible update. Sadly we use Cisco Anyconnect :(

[trallnag]

My environment uses split DNS, few corporate proxies and corporate VPN to which we connect with Cisco Anyconnect. I wanted to transfer from my "normal" VM to WSL2. Got it to work for an hour or two (without VPN nor adjusting stuff like DNS resolvment). Then I installed Docker Desktop and this stomped all the WSL2 networking it seems. Couldn't resolve anything. VPN on/off, manual DNS and deactivating WSL DNS configuration, Docker on/off, reinstalling the WSL2 distro... Even uninstalled Docker Desktop but the issue still persisted.

Now I removed everything and am back in my VM. Guess WSL2 still needs some time to ripen 🍡 Though I would have loved to make the switch. Integration with Windows 10 is so nice and I would have preferred it to doing everything in a VM with GUI

---

Edit: Reinstalled Win10 and WSL2 works perfectly together with Cisco Anyconnect

I don't know why it started to work but now it does. And more so, it works even better than the VMware networking I used before. What I did to make it work were the following steps (if you need details pls say so, I'm on my phone atm):

1. Reinstall Win10 and all the corporate goodies that come with my company installation
2. Install / setup WSL2 following the official guide.
3. As Powershell Admin add inbound outbound rules in the firewall for the WSL network interface (not the executable).
4. Change the priorities of the interfaces so that wsl interface is on first place. place this code in a script so you can run it when the values reset.
5. in WSL2, disable wsl config of resolv. Install dnsmasq and run it on start of your wsl distro. Configure dnsmasq to search your company dns servers and a public one for example Google. This is necessary if you have split dns setup.

for me this works great (for now) and for some reason I don't even have to configure proxy stuff anymore while in VPN and using stuff in WSL2. I don't know why but it just works.

I really hope this stays like that, I don't want to go back into my "normal" non WSL VM

[evoelker]

After some searching, I found a solution from sysblog which shows the issue might be interface priority. After running the recommended fixes, adjusted for GlobalProtect (Palo Alto Networks), everything started working again.

Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1 Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "PANGP Virtual Ethernet Adapter"} | Set-NetIPInterface -InterfaceMetric 6000

There may be an issue with this fix not being persistent after reboot or restart of the VPN client but it does solve the issue I was having.

[th0ger]

@evoelker Yes this was noted by @phueac above.

[httpdss]

personally the option that worked the best for me was to use an openconnect-proxy solution from wazum and fork that repo. it now includes a bash script that asks for mfa and that goes to a docker-compose file thats spins the whole solution (remember to use .env): https://github.com/httpdss/openconnect-proxy hope this help as it did help me. btw, when the proxy is up you can use some SmartProxy extension to go that route based on domains. also, for ssh you can use corkscrew on the ~/.ssh/config all inside the ubuntu on wsl

[AlbesK]

Hey guys! This solution worked for me, using Internal Cisco AnyConnect as well, please let me know if it works for you as well 😃 ! https://github.com/microsoft/WSL/issues/5068#issuecomment-731861198 (Apologies for the weird render here, quoting the reply from the other thread seems to break the markdown...)

@machuu Great stuff. Works for me as well along with the commands given by @Techdread and @ronaldwillems74 for Cisco AnyConnect (Internal one even in my case).

For full solution I did the following:

1. Connect to **Cisco AnyConnect VPN**.

2. To find your Corporate DNS nameservers run in `cmd` the following: `ipconfig/all` (quicker, no need for administrator privileges) and check the first **`Ethernet adapter Ethernet 2:`**, or whichever ethernet number table, under the **DNS Servers** row section.

Or use @ronaldwillems74 command in PS, run as administrator: Get-DnsClientServerAddress | Select-Object -ExpandProperty ServerAddresses, the two first results will be the two Cisco AnyConnect DNS nameservers.

1. Go to _`/etc/wsl.conf`_ and add the following lines as @machuu shows:

[network]
generateResolvConf = false

1. Now you might see that if you changed _`/etc/resolv.conf`_ after closing the wsl shell it will be again changed to a random nameserver and with the same comment pointing to change the _`/etc/wsl.conf`_ file as shown in these issues: [5420](https://github.com/microsoft/WSL/issues/5420), [3928](https://github.com/Microsoft/WSL/issues/3928). To stop this reset and have the correct DNS set up do the following commands in order in your _`~`_ home directory:

   1. First remove the file:
      `sudo rm /etc/resolv.conf`
   2. Then create a new one with the same name, quickest way using touch:
      `sudo touch /etc/resolv.conf`
   3. Then put in your DNS nameservers wither using nano, vi etc to your liking inside /etc/resolv.conf

nameserver <corporateDNS1>
nameserver <corporateDNS2>

1. Then run this command:

sudo chattr +i /etc/resolv.conf

The chattr command is used to make it read protected and it stops the next time you start the shell to override the /etc/resolv.conf file. Based on the solution in issue 5420.

Also here, if you messed up like me first time for this step and can't edit the file, to re-edit the file just do sudo chattr -i /etc/resolv.conf. Edit the file. And then redo the same command with +i to not let it be deleted by wsl in the next shell run thereafter!

1. Now open PS in administrator mode and put @Techdread 's command:

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

(Assuming before all steps you have wsl2 as well with a linux distro already installed, Ubuntu (20.04 LTS) in my case)

And you are done!

Hope this helps 😃 !!

Update: Still works, but when you restart your laptop/PC just re-run Step 5's command above. The /etc/resolv.conf file should have the Corporate DNS and in read mode they should not have been reset. Might make a power shell file for this in the future.

Docker however, as shown in other issues it seems wsl again generates the /etc/hosts/ file in which some people try and put the registries for docker to enable pulling images (see issues 4884, 1317 for example). I have not had yet success but will update if I configure something out soon.

[TBG-FR]

My environment uses split DNS, few corporate proxies and corporate VPN to which we connect with Cisco Anyconnect. I wanted to transfer from my "normal" VM to WSL2. Got it to work for an hour or two (without VPN nor adjusting stuff like DNS resolvment). Then I installed Docker Desktop and this stomped all the WSL2 networking it seems. Couldn't resolve anything. VPN on/off, manual DNS and deactivating WSL DNS configuration, Docker on/off, reinstalling the WSL2 distro... Even uninstalled Docker Desktop but the issue still persisted.

Now I removed everything and am back in my VM. Guess WSL2 still needs some time to ripen 🍡 Though I would have loved to make the switch. Integration with Windows 10 is so nice and I would have preferred it to doing everything in a VM with GUI

Edit: Reinstalled Win10 and WSL2 works perfectly together with Cisco Anyconnect

I don't know why it started to work but now it does. And more so, it works even better than the VMware networking I used before. What I did to make it work were the following steps (if you need details pls say so, I'm on my phone atm):

1. Reinstall Win10 and all the corporate goodies that come with my company installation

2. Install / setup WSL2 following the official guide.

3. As Powershell Admin add inbound outbound rules in the firewall for the WSL network interface (not the executable).

4. Change the priorities of the interfaces so that wsl interface is on first place. place this code in a script so you can run it when the values reset.

5. in WSL2, disable wsl config of resolv. Install dnsmasq and run it on start of your wsl distro. Configure dnsmasq to search your company dns servers and a public one for example Google. This is necessary if you have split dns setup.

for me this works great (for now) and for some reason I don't even have to configure proxy stuff anymore while in VPN and using stuff in WSL2. I don't know why but it just works.

I really hope this stays like that, I don't want to go back into my "normal" non WSL VM

Your solution looks promising too, could you give some more details on your steps ? Thanks in avance !

[trallnag]

@TBG-FR, here you go:

How I got WSL2 to work with Cisco AnyConnect and split DNS

First, I reinstalled Win10, no idea if this was necessary, but nothing worked before. I started without being in VPN.

I followed https://docs.microsoft.com/de-de/windows/wsl/install-win10. Ensured features are all activated and your WSL distro is on WSL version 2. Remember, you can have WSL1 distros despite having WSL2 activated. Also ran bcdedit /set hypervisorlaunchtype auto.

Powershell Admin: Find out the name of the network interface used by WSL. You can do this with Get-NetIPInterface

>>> Get-NetIPInterface

ifIndex InterfaceAlias                  AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp     ConnectionState PolicyStore
------- --------------                  ------------- ------------ --------------- ----     --------------- -----------
1       Loopback Pseudo-Interface 1     IPv6            4294967295              75 Disabled Connected       ActiveStore
61      vEthernet (WSL)                 IPv4                  1500               1 Disabled Connected       ActiveStore
12      vEthernet (Default Switch)      IPv4                  1500            5000 Disabled Connected       ActiveStore
13      Ethernet 3                      IPv4                  1300            5001 Disabled Connected       ActiveStore
11      LAN-Verbindung* 2               IPv4                  1500              25 Enabled  Disconnected    ActiveStore
5       Ethernet 2                      IPv4                  1500               5 Enabled  Disconnected    ActiveStore
24      LAN-Verbindung* 1               IPv4                  1500              25 Enabled  Disconnected    ActiveStore
15      WLAN                            IPv4                  1500              50 Enabled  Connected       ActiveStore
1       Loopback Pseudo-Interface 1     IPv4            4294967295              75 Disabled Connected       ActiveStore

In my case it is vEthernet (WSL). Next, I added two firewall rules and restart PC just to make sure.

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow
New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL)"  -Action Allow

At this point I was able to access the internet from WSL2 distro and use apt. Run sudo apt install dnsmasq.

Next, I switched to sudo -i session.

Added /etc/wsl.conf with following content:

[network]
generateResolvConf = false

Run rm -rf /etc/resolv.conf. Now vi /etc/resolv.conf with following content:

nameserver 127.0.0.1

Add /etc/dnsmasq.conf with following content:

port=53
no-resolv
# Use this for corporate DNS
# server=/mycompanydomain/<ip of dns>
server=8.8.8.8

Run `/etc/init.d/dnsmasq start``. Internet should still work.

Next I activated VPN and updated the priorities of network interfaces. And WSL2 internet is still working

[NicoAdrian]

After some searching, I found a solution from sysblog which shows the issue might be interface priority. After running the recommended fixes, adjusted for GlobalProtect (Palo Alto Networks), everything started working again.

Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1 Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "PANGP Virtual Ethernet Adapter"} | Set-NetIPInterface -InterfaceMetric 6000

There may be an issue with this fix not being persistent after reboot or restart of the VPN client but it does solve the issue I was having.

I'm using cisco anyconnect version 4.7 and this is the only thing that worked for me. It wasn't a DNS issue, at least for me.

[MartinCaccia]

Hey guys! This solution worked for me, using Internal Cisco AnyConnect as well, please let me know if it works for you as well 😃 ! #5068 (comment) (Apologies for the weird render here, quoting the reply from the other thread seems to break the markdown...)

@machuu Great stuff. Works for me as well along with the commands given by @Techdread and @ronaldwillems74 for Cisco AnyConnect (Internal one even in my case). For full solution I did the following:

1. Connect to **Cisco AnyConnect VPN**.

2. To find your Corporate DNS nameservers run in `cmd` the following: `ipconfig/all` (quicker, no need for administrator privileges) and check the first **`Ethernet adapter Ethernet 2:`**, or whichever ethernet number table, under the **DNS Servers** row section.

Or use @ronaldwillems74 command in PS, run as administrator: Get-DnsClientServerAddress | Select-Object -ExpandProperty ServerAddresses, the two first results will be the two Cisco AnyConnect DNS nameservers.

1. Go to _`/etc/wsl.conf`_ and add the following lines as @machuu shows:

[network]
generateResolvConf = false

1. Now you might see that if you changed _`/etc/resolv.conf`_ after closing the wsl shell it will be again changed to a random nameserver and with the same comment pointing to change the _`/etc/wsl.conf`_ file as shown in these issues: [5420](https://github.com/microsoft/WSL/issues/5420), [3928](https://github.com/Microsoft/WSL/issues/3928). To stop this reset and have the correct DNS set up do the following commands in order in your _`~`_ home directory:

   1. First remove the file:
      `sudo rm /etc/resolv.conf`
   2. Then create a new one with the same name, quickest way using touch:
      `sudo touch /etc/resolv.conf`
   3. Then put in your DNS nameservers wither using nano, vi etc to your liking inside /etc/resolv.conf

nameserver <corporateDNS1>
nameserver <corporateDNS2>

1. Then run this command:

sudo chattr +i /etc/resolv.conf

The chattr command is used to make it read protected and it stops the next time you start the shell to override the /etc/resolv.conf file. Based on the solution in issue 5420. Also here, if you messed up like me first time for this step and can't edit the file, to re-edit the file just do sudo chattr -i /etc/resolv.conf. Edit the file. And then redo the same command with +i to not let it be deleted by wsl in the next shell run thereafter!

1. Now open PS in administrator mode and put @Techdread 's command:

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

(Assuming before all steps you have wsl2 as well with a linux distro already installed, Ubuntu (20.04 LTS) in my case) And you are done! Hope this helps 😃 !!

Update: Still works, but when you restart your laptop/PC just re-run Step 5's command above. The /etc/resolv.conf file should have the Corporate DNS and in read mode they should not have been reset. Might make a power shell file for this in the future. Docker however, as shown in other issues it seems wsl again generates the /etc/hosts/ file in which some people try and put the registries for docker to enable pulling images (see issues 4884, 1317 for example). I have not had yet success but will update if I configure something out soon.

This worked for me, thank you very much!

[MartinCaccia]

Problem Resolved with windows 10 and Cisco AnyConnect vpn

Well the first thing i realised is the problem is with the WSL 2 if u downgrade to WSL 1 (wsl --set-version Ubuntu 1) u dont have any problem with connection.

Thats steps worked for me:

1 cd ~/../../etc (go to etc folder in WSL). 2 echo "[network]" | sudo tee wsl.conf (Create wsl.conf file and add the first line). 3 echo "generateResolvConf = false" | sudo tee -a wsl.conf (Append wsl.conf the next line). 4 wsl --terminate Debian (Terminate WSL in Windows cmd, in case is Ubuntu not Debian). 5 cd ~/../../etc (go to etc folder in WSL). 6 sudo rm -Rf resolv.conf (Delete the resolv.conf file). 7 In windows cmd, ps or terminal with the vpn connected do: Get-NetIPInterface or ipconfig /all for get the dns primary and secondary. 8 With the dns primary and secondary getted replace the numbers in the next step in the X.X.X.X 9 echo "nameserver X.X.X.X" | sudo tee resolv.conf (Create resolv.conf and append the line.) 10 echo "nameserver X.X.X.X" | sudo tee -a resolv.conf (Append the line in resolv.conf) 11 wsl --terminate Debian (Terminate WSL in Windows cmd, in case is Ubuntu not Debian). 12 sudo chattr +i resolv.conf 13 And finally in windows cmd, ps or terminal: Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

Credits to @yukosgiti, @machuu and @AlbesK: https://github.com/microsoft/WSL/issues/4277 https://github.com/microsoft/WSL/issues/4246

[machuu]

Changing the Interface Metric 1 -> 6000 for AnyConnect VPN Adapter resolves the connection issue, but this has to be done every time I connect the VPN.

To automate this, I put the PS command in a script and created a Task to run every time there is a network change.

Save the script in a file

First, create the script. I have a 'scripts' directory in my user home, so I put it at:

%HOMEPATH%\scripts\UpdateAnyConnectInterfaceMetric.ps1

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

You can save it where you want, just make sure to use that path in step 13 below.

Create the scheduled task:

1. Open 'Task Scheduler'
2. Click "Create Task" on Right Sidebar
3. Name: Update Anyconnect Adapter Interface Metric for WSL2
4. Set Security Options
   • Check box: 'Run with highest priveleges'
5. Select 'Triggers' Tab
6. Click 'New' at bottom of Window
7. Open 'Begin the task' drop-down
8. Select 'On an Event'
9. Configure Event:
   • Log: 'Microsoft-Windows-NetworkProfile/Operational'
   • Source: 'NetworkProfile'
   • Event ID: '10000'
10. Click 'OK'
11. Select 'Actions' Tab
12. Click 'New'
13. Configure Action:
    • Action: 'Start a Program'
    • Program/script: 'Powershell.exe'
    • Add arguments: '-ExecutionPolicy Bypass -File %HOMEPATH%\scripts\UpdateAnyConnectInterfaceMetric.ps1'
14. Click 'OK'
15. Select 'Conditions' Tab
16. Uncheck box:
    • Power -> Start the task only if the computer is on AC Power
17. Click 'OK'

When AnyConnect finishes connecting, a Powershell window pops up for a couple seconds and WSL can reach the network.

[drolander]

When I set the Cisco AnyConnect InterfaceMetric to 6000, I can access the VPN from WSL2 but not from Windows, and when it is set to 1 I can access the VPN from Windows but not from WSL2. It seems to be either/or. Does anyone have a workaround for this that would allow access to the VPN from both OSes at the same time? My VPN uses a Split Include Tunnel for IPv4, and I tried using dnsmasq as @trallnag suggested, but it does not seem to work any differently than having the VPN and internet nameservers configured in /etc/resolv.conf.

[trallnag]

@drolander, no idea. Though it sounds like two separate issues for me, I'd try to investigate first why Intranet from Windows stops working when you set the VPN interface metric to 6001. Maybe try it with a lower value like 1000? The only thing that matters is that it is higher than the WSL interface.

[drolander]

@trallnag, et al,

I figured it out and have resolved my issue. When the InterfaceMetric is lowered, the DNS server list changes. Before I connect to VPN, when I use this command:

Get-DnsClientServerAddress -AddressFamily ipv4 | Select-Object -ExpandProperty ServerAddresses

192.168.1.1 is at the top of the list which is my router. When I connect to VPN and run the same command again, my company's internal DNS servers are at the top of the list.

Then when I change the VPN (Cisco AnyConnect) InterfaceMetric to 6000 with this command:

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000

my router's ip address is back at the top of the DNS list.

I found that with the VPN interface metric set at 6000, and the modifications mentioned in previous posts made to the WSL2 /etc/resolv.conf and /etc/wsl.conf files, that accessing both VPN internal sites and external internet sites worked fine in WSL2. In Windows, the external internet sites resolved fine but the VPN internal sites were only accessible by IP address not by name.

I modified the IPv4 DNS server addresses used by the Windows network adaptor for my home network, setting the Preferred DNS server to one of my VPN DNS servers and setting the Alternate DNS server to Google's (8.8.8.8). This is a persistent setting.

This works perfectly! After months of struggling with this, I can now access both internal and external sites at the same time from both WSL2 and Windows. Docker also runs fine in either OS. Even after rebooting, all I need to do is:

a. Connect to the VPN b. Run the command to set the VPN interface metric to 6000.

Note: I am not using dnsmasq or chattr and did not set either the "vEthernet (WSL)" interface metric or firewall rules.

I hope this helps someone.

[KyleCrowley]

@TBG-FR, here you go:

How I got WSL2 to work with Cisco AnyConnect and split DNS

First, I reinstalled Win10, no idea if this was necessary, but nothing worked before. I started without being in VPN.

I followed https://docs.microsoft.com/de-de/windows/wsl/install-win10. Ensured features are all activated and your WSL distro is on WSL version 2. Remember, you can have WSL1 distros despite having WSL2 activated. Also ran bcdedit /set hypervisorlaunchtype auto.

Powershell Admin: Find out the name of the network interface used by WSL. You can do this with Get-NetIPInterface

>>> Get-NetIPInterface

ifIndex InterfaceAlias                  AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp     ConnectionState PolicyStore
------- --------------                  ------------- ------------ --------------- ----     --------------- -----------
1       Loopback Pseudo-Interface 1     IPv6            4294967295              75 Disabled Connected       ActiveStore
61      vEthernet (WSL)                 IPv4                  1500               1 Disabled Connected       ActiveStore
12      vEthernet (Default Switch)      IPv4                  1500            5000 Disabled Connected       ActiveStore
13      Ethernet 3                      IPv4                  1300            5001 Disabled Connected       ActiveStore
11      LAN-Verbindung* 2               IPv4                  1500              25 Enabled  Disconnected    ActiveStore
5       Ethernet 2                      IPv4                  1500               5 Enabled  Disconnected    ActiveStore
24      LAN-Verbindung* 1               IPv4                  1500              25 Enabled  Disconnected    ActiveStore
15      WLAN                            IPv4                  1500              50 Enabled  Connected       ActiveStore
1       Loopback Pseudo-Interface 1     IPv4            4294967295              75 Disabled Connected       ActiveStore

In my case it is vEthernet (WSL). Next, I added two firewall rules and restart PC just to make sure.

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow
New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL)"  -Action Allow

At this point I was able to access the internet from WSL2 distro and use apt. Run sudo apt install dnsmasq.

Next, I switched to sudo -i session.

Added /etc/wsl.conf with following content:

[network]
generateResolvConf = false

Run rm -rf /etc/resolv.conf. Now vi /etc/resolv.conf with following content:

nameserver 127.0.0.1

Add /etc/dnsmasq.conf with following content:

port=53
no-resolv
# Use this for corporate DNS
# server=/mycompanydomain/<ip of dns>
server=8.8.8.8

Run `/etc/init.d/dnsmasq start``. Internet should still work.

Next I activated VPN and updated the priorities of network interfaces. And WSL2 internet is still working

@trallnag Huge thanks to you!

I spent hours combing GitHub, forums, etc. looking for a solution and nothing worked, expect for your solution.

Note for anyone who may use this solution in the future:

If your organization (company) uses a VPN (e.g. Cisco AnyConnect), when you add the "corporate DNS" section, you'll need to connect to your VPN first to determine the DNS to use.

You can use ipconfig /all and look for the DNS Servers entry under the VPN adapter (e.g. Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64).

[pyther]

I've built upon the above solutions and written some documentation: https://gist.github.com/pyther/b7c03579a5ea55fe431561b502ec1ba8

Enhancements:

• Schedule task for interface metric triggers on Cisco AnyConnect event
• Added scheduled task and supporting scripts to updated resolv.conf on vpn connection/disconnect

[sergioagm]

I've built upon the above solutions and written some documentation: https://gist.github.com/pyther/b7c03579a5ea55fe431561b502ec1ba8

Awesome! I had implemented almost everything and was missing the WSL DNS script. Hopefully they'll fix this issue but for now it's nice to see everything in one place.

[manojchandrashekar]

@marwatk here's the scripts I'm using. It's a bit of a mash right now, but should be simple to edit and setup your own. https://github.com/sakai135/wsl-vpnkit

After 3 days of scouring the internet for solutions, this is the only thing that worked!! Thank you so much! @sakai135 The connection is maintained between re-connections too.

[th0ger]

So many workarounds. When can we expect Micosoft and/or Cisco to pick one and provide an official fix???

[jnickg]

These workarounds are great until an IT policy at some company gets tweaked, and they break. I'd love not to have to manually repair repeatedly—tools should help you do work, they shouldn't be the work. A canonical solution would change WSL from "a neat little toy I use at home" to "a tool I can actually use at work"

[robertstinnett]

Is Microsoft ever going to address this? I've tried so many workarounds and hacks, and some work for a while, then break. With so many people on VPN nowadays and working remotely you'd think they would give this a higher priority or at least address this issue in some fashion.

[trallnag]

@dmxrob, I feel like addressing all the issues around networking in WSL2 will require MS to go back to the drawing board looking at several issues with hundreds of comments and complaints... Though I must say that WSL2 has been working for me since mid of December when I invested several days(!) to get it to work. So far it has survived patches and updates on my corporate t490 machine.

• cisco anyconnect
• split dns

Solution for me has been so far to use Dnsmasq inside WSL2 to deal especially with the split DNS and setting the network interface priorities

[craigloewen-msft]

Hi folks, this is something we're working on. VPN issues like these are difficult to fix, and we are working on WSL 2's networking story overall. Thank you for your patience!

For those folks affected, does moving to the Cisco AnyConnect app in the Microsoft store fix you? It'd be helpful for us to know if any folks are using the store app and are still seeing network issues there. EDIT: If you're able to use that version!

[tarioch]

I think for a lot (like in my case) it's not possible to switch to a different cisco client as this is often in corporate environments where things are heavily locked down.

[kellycouch]

Using the Appstore app did resolve the issue for me, at least temporarily. But it seems corporate policy changed and then prevented me from continuing to use the app ☹.

Using tips from these two comments at least provides me with a satisfactory workaround: https://github.com/microsoft/WSL/issues/5068#issuecomment-731861198 machuuhttps://github.com/machuu commented 11 days agohttps://github.com/microsoft/WSL/issues/4277#issuecomment-738839732 •

[vnijs]

@craigloewen-msft Thanks for letting us know that this is progress. For our organization, I was able to use anyconnect from the Microsoft store. However, it is restricted to 10MB up and download speeds. Is there anything that could be done about that? A newer version perhaps?

[BarrettStephen]

Also please note this affects more than just Cisco. My work place uses GlobalProtect and I have this same issue. We are all WFH now so none of the software team can use WSL2 because of this issue.

Note we can't change to Cisco as we used to use it but InfoSec replaced it with GlobalProtect due to security issues.

[NiklasBr]

@craigloewen-msft thanks for responding! I tested Cisco AnyConnect from the store and unfortunately it did not work

[mcaulifn]

AnyConnect from the store may not work for some as it does not have ISE.

[th0ger]

We are using the workaround of incrementing InterfaceMetric for the Cisco AnyConnect interface from 1 (default) to 6000.

This has an odd side-effect where some intranet sites (e.g. when opend in browser) are being directed to our external domain. How can this be?

[ccwang002]

Mine got working by setting Cisco AnyConnect InterfaceMetric = 6000 for both IPv4 and IPv6 (verify by Get-NetIPInterface):

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -AddressFamily IPv4 -InterfaceMetric 6000
Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -AddressFamily IPv6 -InterfaceMetric 6000

To get WSL2 connection working under all conditions (with and without VPN), I ended up reverting everything else to default except for the settings above, so keeping the InterfaceMetric of vEthernet (WSL) the default (not 1) and using the automatically generated /etc/resolve.conf.

The InterfaceMetric can be automatically updated by Windows, so have to check the value from time to time. It seems that this behavior can be disabled by ... | Set-NetIPInterface -AutomaticMetric disabled (doc) but haven't had a chance to try it for long.

[th0ger]

@ccwang002 you are correct that both IPv4 and IPv6 should be set, but if you ommit the -AddressFamily ... flag it will apply to both (as in previous posts).

[rofrol]

@trallnag Can you describe your solution with dnsmasq?

[trallnag]

@rofrol check this comment https://github.com/microsoft/WSL/issues/4277#issuecomment-733021720

in the meantime I've improved a few things following other tips in this thread like automatically updating the priority and so on, but the stuff with dnsmasq is still up to date

[KyleCrowley]

As a follow-up to my earlier comment, the dnsmasq solution worked temporarily.

I recently received a new machine at work so I had to go through the WSL2 setup process again. I decided to attempt another approach instead of the dnsmasq approach to see if dnsmasq was truly required.

What is working for me right now is a combination of editing the wsl.conf and resolv.conf and setting the InterfaceMetric for the VPN adapter and WSL.

I have to repeat the InterfaceMetric steps every time I restart my machine. Editing the wsl.conf and resolv.conf should be a one-time operation, provided my company's DNS server doesn't change.

[machuu]

@KyleCrowley ,

I wrote a gist to automate the interface metrix: Workaround for WSL2 network broken on VPN

It goes through the one-time changes in wsl.conf and /etc/resolv.conf, then setup for a Scheduled Task to run a PowerShell script to update the VPN interface metric each time there is a network change.