Announcement

Collapse
No announcement yet.

Cisco AnyConnect blocks internet access

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Cisco AnyConnect blocks internet access

    Dear Kubuntu Community

    I've got my first problem with my new Kubuntu installation (12.04 x64):

    To get access to my university's network, i have to use the Cisco AnyConnect VPN Client provided (http://mobile.unibas.ch/index_en.html).

    After installing it as described in the manual, I can now only get internet access (even at home or at work) with the VPN Client running. Otherwise, I can merely ping clients in LAN but not outside (e.g. google.com). Uninstalling the VPN Client as described doesn't solve the issue.

    Thank you very much for your help!
    Regards Morrow

    #2
    In many cases, organizations customize these VPN clients. And sometimes these customizations cause breakage.

    Let's take a look at some files. Please show the results of these commands:

    1. cat /etc/network/interfaces
    2. cat /etc/hosts
    3. cat /etc/NetworkManager/NetworkManager.conf
    4. ll /etc/resolv.conf

    If the output of #4 shows a symlink pointing to ../run/resolvconf/resolv.conf, then:

    5. cat /run/resolvconf/resolv.conf

    else

    5. cat /etc/resolv.conf

    Comment


      #3
      Thanks for your answer! Here the results:

      Code:
      morrow@morrow-nb-kb:~$ cat /etc/network/interfaces
      auto lo
      iface lo inet loopback
      
      morrow@morrow-nb-kb:~$ cat /etc/hosts
      127.0.0.1       localhost
      127.0.1.1       morrow-nb-kb
      
      # The following lines are desirable for IPv6 capable hosts
      ::1     ip6-localhost ip6-loopback
      fe00::0 ip6-localnet
      ff00::0 ip6-mcastprefix
      ff02::1 ip6-allnodes
      ff02::2 ip6-allrouters
      
      morrow@morrow-nb-kb:~$ cat /etc/NetworkManager/NetworkManager.conf
      [main]
      plugins=ifupdown,keyfile
      dns=dnsmasq
      
      [ifupdown]
      managed=false
      
      morrow@morrow-nb-kb:~$ ll /etc/resolv.conf
      -rw-r--r-- 1 root root 114 Sep 26 08:16 /etc/resolv.conf
      
      morrow@morrow-nb-kb:~$ cat /etc/resolv.conf
      domain mobile.unibas.ch
      nameserver 131.152.1.1
      nameserver 131.152.1.5
      search mobile.unibas.ch docking.p.unibas.ch

      Comment


        #4
        Your VPN client messed up /etc/resolv.conf. Beginning with 12.04, all Ubuntu flavors use the resolvconf tool for managing the name resolver. While in general this improves Ubuntu's behavior with respect to dynamically changing networks, I've seen some VPN clients misbehave.

        Before we fix this, do you indeed have a /run/resolvconf/resolv.conf? If so, what's inside it?

        Comment


          #5
          Ah, thanks for the information!

          I don't seem to have this file:
          Code:
          morrow@morrow-nb-kb:/run/resolvconf$ ls -l -a
          total 0
          drwxr-xr-x  3 root root  80 Sep 30 17:28 .
          drwxr-xr-x 25 root root 860 Sep 30 18:15 ..
          drwxr-xr-x  2 root root  40 Sep 30 17:28 interface
          -rw-r--r--  1 root root   0 Sep 30 17:28 postponed-update

          Comment


            #6
            Delete the existing file:

            Code:
            sudo rm /etc/resolv.conf
            Reboot your computer, and then check to ensure that /run/resolvconf/resolv.conf is created and that /etc/resolv.conf symlinks to it.

            /run is temporary file system contained completely within RAM. It gets recreated on each boot. resolvconf doesn't create the file in /run and doesn't set up the symlink if a "real" /etc/resolv.conf exists.

            Comment


              #7
              Well, deleting /etc/resolv.conf solved the issue, but the file /run/resolvconf/resolv.conf isn't created and there is no symlink:

              Code:
              morrow@morrow-nb-kb:~$ ll /etc/resolv.conf
              ls: cannot access /etc/resolv.conf: No such file or directory
              morrow@morrow-nb-kb:~$ ll /run/resolvconf/resolv.conf
              ls: cannot access /run/resolvconf/resolv.conf: No such file or directory

              Comment


                #8
                Run
                Code:
                sudo dpkg-reconfigure resolvconf
                and answer "Yes" to the question "Prepare /etc/resolv.conf for dynamic updates?"

                Then reboot and verify.

                Comment


                  #9
                  Originally posted by SteveRiley View Post
                  Delete the existing file:

                  Code:
                  sudo rm /etc/resolv.conf
                  Reboot your computer, and then check to ensure that /run/resolvconf/resolv.conf is created and that /etc/resolv.conf symlinks to it.

                  /run is temporary file system contained completely within RAM. It gets recreated on each boot. resolvconf doesn't create the file in /run and doesn't set up the symlink if a "real" /etc/resolv.conf exists.
                  Me thinks that this isn't correct.

                  On my 12.04 install, the /etc/resolv.conf file has a date stamp on it of 29 Mar 3 2012. The following packages were dist-upgraded on that date:
                  The following packages will be upgraded:
                  dconf-gsettings-backend dconf-service gir1.2-glib-2.0 glib-networking
                  glib-networking-common glib-networking-services gsettings-desktop-schemas
                  libatk1.0-0 libatk1.0-data libcroco3 libdconf0 libgeoclue0
                  libgirepository-1.0-1 libglib2.0-0 libgtk-3-0 libgtk-3-bin libgtk-3-common
                  libpango1.0-0 librsvg2-2 libsoup-gnome2.4-1 libsoup2.4-1 libtelepathy-glib0
                  The file contains the following:
                  # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
                  # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
                  nameserver 127.0.0.1
                  The /etc/resolv.conf file is linked to /run/resolvconf/resolv.conf:
                  lrwxrwxrwx 1 root root 29 Mar 3 2012 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
                  So, the /etc/resolv.conf file 'should' exist, and the "run-time" link is established each boot.
                  Windows no longer obstructs my view.
                  Using Kubuntu Linux since March 23, 2007.
                  "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                  Comment


                    #10
                    After running sudo dpkg-reconfigure resolvconf, it is equals to your installation now, Snowhog:

                    Code:
                    morrow@morrow-nb-kb:~$ ll /etc/resolv.conf
                    lrwxrwxrwx 1 root root 29 Oct  1 01:32 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
                    morrow@morrow-nb-kb:~$ ll /run/resolvconf/resolv.conf
                    -rw-r--r-- 1 root root 172 Oct  1 01:34 /run/resolvconf/resolv.conf
                    morrow@morrow-nb-kb:~$ cat /run/resolvconf/resolv.conf
                    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
                    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
                    nameserver 127.0.0.1
                    It is now working as expected, with and without running VPN Client.

                    Thanks very much for your help!

                    Comment


                      #11
                      You're welcome. That's what we are here for -- to help; as and when we can.
                      Windows no longer obstructs my view.
                      Using Kubuntu Linux since March 23, 2007.
                      "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                      Comment


                        #12
                        Originally posted by Morrow View Post
                        After running sudo dpkg-reconfigure resolvconf, it is equals to your installation now, Snowhog:
                        Yep, that's exactly what you should see.

                        Originally posted by Snowhog View Post
                        So, the /etc/resolv.conf file 'should' exist, and the "run-time" link is established each boot.
                        Let's check the installation scripts. Maybe my summary is off.

                        When DPKG is installing resolvconf, the pre-installation script erects the scaffolding in /run and in /etc/resolvconf. The "linkify" portion of the post-installation script checks to see if a "real" /etc/resolv.conf exists, and if so, copies it to /etc/resolvconf/resolv.conf.d/original. Next the script copies the "real" one to /run/resolvconf/resolv.conf. Finally, the script creates the link:

                        Code:
                        ln -nsf ../run/resolvconf/resolv.conf /etc/resolv.conf
                        The -f wipes out the existing "real" file.

                        Package installation is now complete. When the computer is shut down, /run disappears, of course. But the symlink doesn't; it simply points to nothing. You can simulate this yourself:

                        1. copy /run/resolvconf/resolv.conf to someplace else
                        2. remove it
                        3. note that the output of ll /etc/resolv.conf is red

                        When the computer boots (or even when networking is reconfigured) the resolvconf program reconstructs /run/resolvconf/resolv.conf. Now the symlink has something to point to again. Continuing with the previous example, you can simulate this:

                        1. copy your saved file back to /run/resolvconf/resolv.conf
                        2. note that the output of ll /etc/resolv.conf is cyan

                        So the symlink is actually never modified; the man page for resolvconf confirms this. What happens in the case where, after installation of resolvconf, something comes along and clobbers the carefully constructed symlink? resolvconf does nothing. From the man page:

                        To make the resolver use this dynamically generated resolver configuration file the administrator should ensure that /etc/resolv.conf is a symbolic link to /run/resolvconf/resolv.conf. This link is normally created on installation of the resolvconf package. The link is never modified by the resolvconf program itself. If you find that /etc/resolv.conf is not being updated, please check to make sure that the link is intact.
                        The VPN configuration created a static /etc/resolv.conf. Thus, resolvconf was doing nothing. Deleting the static file wasn't sufficient, because the symlink is created only during package configuration. Running dpkg-reconfigure fixed that: it created a new symlink.

                        *Whew!* I love these little investigations

                        Comment

                        Working...
                        X