nnposter
commented
5 years ago Experienced as well with Cisco AnyConnect 3.1.14018. In my case the workaround was to unbind NPF and NPCAP from the AnyConnect adapter.
Open dmiller-nmap opened 6 years ago
nnposter
commented
5 years ago Experienced as well with Cisco AnyConnect 3.1.14018. In my case the workaround was to unbind NPF and NPCAP from the AnyConnect adapter.
dmiller-nmap
commented
5 years ago @nnposter That's great, a much more specific workaround than "turn off Npcap" which was the previous. Can you provide some detail on the AnyConnect adapter so we can maybe avoid binding to it in the first place? Ideally, output of Powershell: Get-NetAdapter -Name "VPN Adapter" | select * | fl (I don't know what the actual name of it would be).
nnposter
commented
5 years ago This is from 32-bit Win8.1:
ifDesc : Cisco AnyConnect Secure
Mobility Client Virtual
Miniport Adapter for Windows
ifName : Ethernet_5
DriverVersion : 3.1.6019.0
LinkLayerAddress : 00-05-9A-XX-XX-XX
MacAddress : 00-05-9A-XX-XX-XX
LinkSpeed : 10 Mbps
MediaType : 802.3
PhysicalMediaType : Unspecified
DriverInformation : Driver Date 2014-02-26
Version 3.1.6019.0 NDIS 6.20
DriverFileName : vpnva-6.sys
NdisVersion : 6.20
CreationClassName : MSFT_NetAdapter
SystemCreationClassName : CIM_NetworkPort
Speed : 10000000
ActiveMaximumTransmissionUnit : 1500
FullDuplex : True
ComponentID : vpnva
ConnectorPresent : False
DeviceWakeUpEnable : False
DriverDescription : Cisco AnyConnect Secure
Mobility Client Virtual
Miniport Adapter for Windows
DriverMajorNdisVersion : 6
DriverMinorNdisVersion : 20
DriverName : \SystemRoot\system32\DRIVERS
\vpnva-6.sys
DriverProvider : Cisco Systems
DriverVersionString : 3.1.6019.0
EndPointInterface : False
HardwareInterface : False
Hidden : False
HigherLayerInterfaceIndices :
IMFilter : False
InterfaceAdminStatus : 2
InterfaceDescription : Cisco AnyConnect Secure
Mobility Client Virtual
Miniport Adapter for Windows
InterfaceOperationalStatus : 2
InterfaceType : 6
iSCSIInterface : False
LowerLayerInterfaceIndices :
MajorDriverVersion : 2
MediaConnectState : 0
MediaDuplexState : 2
MinorDriverVersion : 1
MtuSize : 1500
NdisMedium : 0
NdisPhysicalMedium : 0
NetLuid : 1688849944150016
NetLuidIndex : 5
NotUserRemovable : False
OperationalStatusDownDefaultPortNotAuthenticated : False
OperationalStatusDownInterfacePaused : False
OperationalStatusDownLowPowerState : False
OperationalStatusDownMediaDisconnected : False
PnPDeviceID : ROOT\NET\0000
PromiscuousMode : False
ReceiveLinkSpeed : 10000000
State : 3
TransmitLinkSpeed : 10000000
Virtual : True
VlanID :
WdmInterface : False
PSComputerName :
CimClass : ROOT/StandardCimv2:MSFT_NetA
dapter
CimInstanceProperties : {Caption, Description,
ElementName, InstanceID...}
CimSystemProperties : Microsoft.Management.Infrast
ructure.CimSystemPropertiesOn 64-bit systems some of attributes are slightly different:
Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Driver: vpnva64-6.sys
Windows 7 is using the same name and driver.
Again, this is for AnyConnect 3.1. I will check if I can also find a newer version.
nnposter
commented
5 years ago This is AnyConnect 4.5.04029 on 32-bit Win8.1:
ifDesc : Cisco AnyConnect Secure
Mobility Client Virtual
Miniport Adapter for Windows
ifName : Ethernet_5
DriverVersion : 4.5.4025.0
LinkLayerAddress : 00-05-9A-XX-XX-XX
MacAddress : 00-05-9A-XX-XX-XX
Status : Disabled
LinkSpeed : 10 Mbps
MediaType : 802.3
PhysicalMediaType : Unspecified
AdminStatus : Down
MediaConnectionState : Unknown
DriverInformation : Driver Date 2018-01-04
Version 4.5.4025.0 NDIS 6.20
DriverFileName : vpnva-6.sys
NdisVersion : 6.20
CreationClassName : MSFT_NetAdapter
SystemCreationClassName : CIM_NetworkPort
Speed : 10000000
UsageRestriction :
ActiveMaximumTransmissionUnit : 1500
AutoSense :
FullDuplex : True
LinkTechnology :
SupportedMaximumTransmissionUnit :
AdminLocked : False
ComponentID : vpnva
ConnectorPresent : False
DeviceWakeUpEnable : False
DriverDate : 2018-01-04
DriverDateData : 131594976000000000
DriverDescription : Cisco AnyConnect Secure
Mobility Client Virtual
Miniport Adapter for Windows
DriverMajorNdisVersion : 6
DriverMinorNdisVersion : 20
DriverName : \SystemRoot\system32\DRIVERS
\vpnva-6.sys
DriverProvider : Cisco Systems
DriverVersionString : 4.5.4025.0
EndPointInterface : False
HardwareInterface : False
Hidden : False
HigherLayerInterfaceIndices :
IMFilter : False
InterfaceAdminStatus : 2
InterfaceDescription : Cisco AnyConnect Secure
Mobility Client Virtual
Miniport Adapter for Windows
InterfaceOperationalStatus : 2
InterfaceType : 6
iSCSIInterface : False
LowerLayerInterfaceIndices :
MajorDriverVersion : 2
MediaConnectState : 0
MediaDuplexState : 2
MinorDriverVersion : 1
MtuSize : 1500
NdisMedium : 0
NdisPhysicalMedium : 0
NetLuidIndex : 5
NotUserRemovable : False
OperationalStatusDownDefaultPortNotAuthenticated : False
OperationalStatusDownInterfacePaused : False
OperationalStatusDownLowPowerState : False
OperationalStatusDownMediaDisconnected : False
PnPDeviceID : ROOT\NET\0000
PromiscuousMode : False
ReceiveLinkSpeed : 10000000
State : 3
TransmitLinkSpeed : 10000000
Virtual : True
VlanID :
WdmInterface : False
PSComputerName :
CimClass : ROOT/StandardCimv2:MSFT_NetA
dapter
CimInstanceProperties : {Caption, Description,
ElementName, InstanceID...}
CimSystemProperties : Microsoft.Management.Infrast
ructure.CimSystemPropertiesJust received a private report of similar interruption affecting F5 BigIP Edge Client VPN. In that case, the VPN's PPP adapter shows up in ipconfig output when Npcap is installed, even though it does not usually show up.
dmiller-nmap
commented
5 years ago @nnposter I've got a potential solution, but I need someone with an affected system to test. Here's the procedure (all done in an Administrator command window from the Npcap install location, usually C:\Program Files\Npcap\):
net stop npcapNPFInstall.exe -u (or if raw 802.11 support was installed, NPFInstall.exe -u2)NPFInstall.exe -cnpcap.inf file. On the lines containing "LowerRange" change the "ndis5,ndis4" to nolower.NPFInstall.exe -i (or for raw 802.11 support, NPFInstall.exe -i2)I have some other ideas, but this is the most promising so far. I only hope it works and does not cause a regression, since the original change was in response to a complaint that Npcap couldn't "see" VMnet interfaces.
nnposter
commented
5 years ago Unfortunately these steps have not resolved the issue on my system
dmiller-nmap
commented
5 years ago @nnposter Thanks for checking. I'm working on getting a test setup of my own to check this out, but I have one more shot in the dark with the same test procedure: removing the ", nolower" from lines containing FilterMediaTypes in step 4.
Essentially what I am trying to do is find a way to keep Npcap from binding to an edge of the VPN's driver that interferes with the VPN's connectivity. I think the VPN driver is trying to stop any traffic that doesn't go through the VPN itself, and Npcap is causing it to interrupt its own connection, too. But I have no idea how it does this or why it happens this way.
nnposter
commented
5 years ago Yes, I understand the intent. When I first ran your steps, NPF did not get bound to the VPN adapter but NPCAP did. The second time I ran it, without further modifyingnpcap.inf, both NPF and NPCAP got bound to the adapter (for no apparent reason).
I have also tested the VPN connectivity with NPF both running and stopped but it did not make a difference.
nnposter
commented
5 years ago With the change to FilterMediaTypes I got an error:
C:\Program Files\Npcap>NPFInstall.exe -i
Unknown error! 1
Npcap LWF driver has failed to be installed.Also reported on F5 BigIP Edge Client.
We have AnyConnect licenses and will be testing this shortly.
scotofil
commented
4 years ago This is only to confirm that the problem still exists with the npcap 0.9983 + AnyConnect 4.6.03049 constellation.
I am using Win7 Pro SP1, and the Get-NetAdapter cmdlet does not exist here, but if you can recommend something that provides equivalent details, I would be happy to share them.
This might be known already, but this problem appears only if I install raw 802.11 monitoring. If I do not, VPN connections work like a charm.
PredatorVI
commented
3 years ago I have experienced this with the PaloAlto GlobalProtect VPN software (currently v5.2.2-4) on Windows 10. After connecting to the VPN portal, I see this in the log:
(T7744)Debug( 278): 10/07/20 10:47:25:734 IPSec tunnel receive failed with error 10040(A message sent on a datagram socket was larger than the internal message buffer or some other network limit, or the buffer used to receive a datagram into was smaller than the datagram itself.)
I removed both NMAP and NPCAP and reinstalled the GlobalProtect binaries and the connections have been stable.
Maybe this will help others.
LusKrew
commented
2 years ago Any solution?
Similar to nmap/nmap#610 or nmap/nmap#600, Npcap has been reported to cause network interruption when VPN software is installed, specifically Cisco AnyConnect VPN Client.