Jump to solution

IPv6 issues with XB6 Gateway and Cisco AnyConnect VPN

JeffGWpg
Grasshopper

I apologize in advance for the length of this post but I want to get the pertinent details out there.

The company I work for recently went through a Windows firewall migration from McAfee HIPS to the native Windows firewall. Keep in mind that where a 3rd party firewall is involved, the Windows firewall subsystem "stands down" to allow that 3rd party firewall to take over.

We had used McAfee HIPS for many years and as such this issue did not present until we began the migration in late April.

Symptoms: client is connected to Wi-Fi or Ethernet on a Shaw XB6 Gateway (and possibly / likely on XB7 as well) and if IPv6 is enabled in Windows, which it is by default, when connected to VPN they are unable to access on-prem resources such as network drives, local web sites, domain controllers for authentication, etc. When on Wi-Fi, the issue would seem to correct itself after a period of time, but the amount of time was random from a few minutes to a few hours. On Ethernet, the issue simply won't resolve. The workaround is to disable IPv6 on the Internet adapter as well as the VPN adapter, or simply disable it completely via a registry key.

There seems to be some correlation between Windows trying to identify the active network connection. When initially connected to VPN, the network icon in system tray would show "Identifying..." for both the Internet adapter as well as the VPN adapter. When on Wi-Fi, at some point the VPN adapter would flip to "domain.name" and the domain firewall profile would apply. Usually shortly after that the Internet adapter would get identified and either get the public or private firewall profile, depending if the end user was prompted and what they selected. When connected via Ethernet, the network would just sit at "Identifying..." endlessly. I have left it for days and it would never start to work.

It is interesting that if you try to ping an internal host, Windows would respond with, "Ping request could not find host hostname. Please check the name and try again." This is because it is only trying to resolve the IPv6 address and because we do not use IPv6 internally, there is no corresponding IPv6 address to respond with. A packet capture shows that the internal DNS servers are answering with the IPv4. If you do "ping -4 hostname" you will get back the IPv4 address and successful ping replies.

If you use your own equipment with the gateway in bridge mode, you will not run into this issue. I have tested with IPv6 configured for passive and native modes on an Asus access point and the issue does not present in that scenario. It only occurs when connected to the Shaw Gateway.

I have a ticket opened with Microsoft for this issue but I was wondering if anyone here, customer or Shaw rep, has run into this issue and knows if there is a real fix other than disabling IPv6.

I will also point out that I have seen this occur with couple Rogers, Cogeco and American ISP, Spectrum customers but of the 50+ users that have run into this, only around 5 were non-Shaw.

I would welcome any thoughts / experience / suggestions that any might have.

Thanks in advance!

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Jump to solution

After working with Microsoft, we have found the solution...

JeffGWpg
Grasshopper

After working with Microsoft, we have found the solution to this issue. The thought is that what they believe is happening is that the IPv6 query is hitting the ISP network adapter first and responding in such a way as to make the DNS Client think the name is unresolvable.

The solution is to disable DNS A and AAAA queries from executing in parallel on all configured DNS servers by adding / setting the following REG_DWORD:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DisableParallelAandAAAA
Set the value to 0 to enable (default) or 1 to disable (which resolves the issue)

Hope this helps someone else out!

View solution in original post

0 Kudos
Reply
Loading...
1 Reply
Jump to solution

After working with Microsoft, we have found the solution...

JeffGWpg
Grasshopper

After working with Microsoft, we have found the solution to this issue. The thought is that what they believe is happening is that the IPv6 query is hitting the ISP network adapter first and responding in such a way as to make the DNS Client think the name is unresolvable.

The solution is to disable DNS A and AAAA queries from executing in parallel on all configured DNS servers by adding / setting the following REG_DWORD:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DisableParallelAandAAAA
Set the value to 0 to enable (default) or 1 to disable (which resolves the issue)

Hope this helps someone else out!

0 Kudos
Reply
Loading...