ASUS RT-N66U Cisco AnyConnect Internet Access Issues

[WBRawr]

I've had an Asus RT-N66U for a number of years with asuswrt-merlin (currently running latest 380.70). I've always had an internet access issue with my company VPN (they use Cisco AnyConnect) where once I connect to the VPN I can access anything within the company intranet but nothing on the internet or anything else on my home network. This hasn't ever been much of an issue until recently as now they've changed email clients and I can no longer access my work email from home. In the past I've confronted the IT department about this and they point to an issue with my router as I can just fire up the mobile hotspot and have full access to the internet and intranet.

I was hoping for any suggestions to remedy my problem before flashing my router to either tomato or dd-wrt as it seems to be an asuswrt firmware issue locking me out.

IPSec passthrough is enabled. Configuration is pretty close to default.

Thanks in advanced!

 

[kfp]

I can just fire up the mobile hotspot and have full access to the internet and intranet.

What device are you running AnyConnect on? And how do you connect that device to the mobile hotspot?

 

[WBRawr]

Dell laptop, connect to the hotspot (on phone) via wireless. Also should be noted when I connect to any network outside the home I have full functionality of internet access so it isn't any configuration issue on the laptop or with the VPN client from my company. Internet loss only happens at home connected to the aforementioned router.

Thanks for the quick reply!

 

[dave14305]

Does IT say that VPN split tunneling is supported by your company’s policies?

What does the output of “netstat -rn” look like when connected to VPN from your home network?

 

[WBRawr]

Does IT say that VPN split tunneling is supported by your company’s policies?

What does the output of “netstat -rn” look like when connected to VPN from your home network?

Yes split tunneling is supported - I can also connect to any generic router through wifi (at hotels or while working at other companies) and have internet access while on VPN.

netstat output:

===========================================================================
Interface List
17...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Mi
niport Adapter for Windows x64
12...3c a9 f4 62 8b 30 ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
16...3c a9 f4 62 8b 31 ......Microsoft Virtual WiFi Miniport Adapter
13...b0 05 94 f8 26 1c ......Bluetooth Device (Personal Area Network)
11...f0 1f af 38 ba ff ......Intel(R) 82579LM Gigabit Network Connection
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.57 20
0.0.0.0 0.0.0.0 172.27.160.1 172.27.168.78 2
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.27.160.0 255.255.224.0 On-link 172.27.168.78 257
172.27.168.78 255.255.255.255 On-link 172.27.168.78 257
172.27.191.255 255.255.255.255 On-link 172.27.168.78 257
192.168.1.0 255.255.255.0 On-link 192.168.1.57 276
192.168.1.0 255.255.255.0 172.27.160.1 172.27.168.78 2
192.168.1.1 255.255.255.255 On-link 192.168.1.57 21
192.168.1.57 255.255.255.255 On-link 192.168.1.57 276
192.168.1.255 255.255.255.255 On-link 192.168.1.57 276
198.206.246.225 255.255.255.255 192.168.1.1 192.168.1.57 21
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.57 276
224.0.0.0 240.0.0.0 On-link 172.27.168.78 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.57 276
255.255.255.255 255.255.255.255 On-link 172.27.168.78 257
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.27.160.1 1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
17 11 ::/0 On-link
1 306 ::1/128 On-link
17 266 fe80::/64 On-link
12 276 fe80::6536:63ca:eeff:b2c7/128
On-link
17 266 fe80::9039:3fe3:334d:4788/128
On-link
17 266 fe80::af5a:8494:29be:258d/128
On-link
1 306 ff00::/8 On-link
12 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

 

[dave14305]

I'm no routing expert, but the way I read the netstat output is that your default route 0.0.0.0 will choose the 172.x.x.x interface because it has a lower metric than your local network interface (2 vs 20). What are the advances TCP/IP (v4) settings for your NIC in regards to the interface Metric? Is it set to Automatic? I don't know the solution, but I feel it's still related to the VPN somehow.

Hopefully someone smarter will chime in.

 

[MichaelCG]

My best guess is that your local home network IP range has a conflict with a subnet coming from the VPN. If they permit split-tunneling, and the VPN is being done by the PC and not the router...what router you use should have no bearing on your ability to access the Internet.

But I agree with the last response....based on the route table you provided, the VPN client isn't going to do split-tunnel. It is going to force all traffic down the VPN tunnel. This is a VPN client configuration issue. "Most" split-tunnel setups don't change the default route. They inject specific routes that are supposed to go down the VPN tunnel.

Also to note...I didn't think any major company still did true split-tunnel anymore. The security implications are huge.

 

[WBRawr]

I'm no routing expert, but the way I read the netstat output is that your default route 0.0.0.0 will choose the 172.x.x.x interface because it has a lower metric than your local network interface (2 vs 20). What are the advances TCP/IP (v4) settings for your NIC in regards to the interface Metric? Is it set to Automatic? I don't know the solution, but I feel it's still related to the VPN somehow.

Hopefully someone smarter will chime in.

So the interface metric for my local network is set to automatic and for the domain it was set to 1. The domain settings get pushed through while connecting through AnyConnect so I can't make any changes to the settings there.

 

[WBRawr]

My best guess is that your local home network IP range has a conflict with a subnet coming from the VPN. If they permit split-tunneling, and the VPN is being done by the PC and not the router...what router you use should have no bearing on your ability to access the Internet.

But I agree with the last response....based on the route table you provided, the VPN client isn't going to do split-tunnel. It is going to force all traffic down the VPN tunnel. This is a VPN client configuration issue. "Most" split-tunnel setups don't change the default route. They inject specific routes that are supposed to go down the VPN tunnel.

Also to note...I didn't think any major company still did true split-tunnel anymore. The security implications are huge.

So assuming it is a VPN client configuration issue (which the IT has already said they won't work with me on) how do I work around it on my home network? Also, why do I not run into this issue anywhere else but home?

 

[kfp]

This is a VPN client configuration issue. "Most" split-tunnel setups don't change the default route. They inject specific routes that are supposed to go down the VPN tunnel.

That’s my first thought as well but OP states that this is only happening at home and not elsewhere so that basically rules out client configuration no?

I like your theory of conflicting subnets though, perhaps the client software detected the conflict THEN changed the default route.

Though OP’s home subnet seems to be 192.168.1.x while the VPN is 172.27.160.x

So assuming it is a VPN client configuration issue (which the IT has already said they won't work with me on) how do I work around it on my home network? Also, why do I not run into this issue anywhere else but home?

Three things I think are worth a try:

- Bypass your router at home, take the laptop directly to your modem and see if VPN split works.

- Connect to the mobile hotspot first then connect to VPN. By your description so far this should work.

- When at a location where the VPN split is working (eg. point above) print out the routing table again and compare to the one you posted earlier.

 

[dave14305]

I don't use Cisco AnyConnect for my corporate VPN client, but is it normal to see the persistent route when connected to AnyConnect? Does it disappear when not connected?

===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.27.160.1 1
===========================================================================

 

[WBRawr]

That’s my first thought as well but OP states that this is only happening at home and not elsewhere so that basically rules out client configuration no?

I like your theory of conflicting subnets though, perhaps the client software detected the conflict THEN changed the default route.

Though OP’s home subnet seems to be 192.168.1.x while the VPN is 172.27.160.x




Three things I think are worth a try:

- Bypass your router at home, take the laptop directly to your modem and see if VPN split works.

- Connect to the mobile hotspot first then connect to VPN. By your description so far this should work.

- When at a location where the VPN split is working (eg. point above) print out the routing table again and compare to the one you posted earlier.

- I'm on fiber so no modem to connect to, however, back in the stone ages I had this same issue with my DSL provider (Cox).

- Connected to mobile hotspot via wifi and ran netstat:

Interface List
17...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Mi
niport Adapter for Windows x64
12...3c a9 f4 62 8b 30 ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
16...3c a9 f4 62 8b 31 ......Microsoft Virtual WiFi Miniport Adapter
13...b0 05 94 f8 26 1c ......Bluetooth Device (Personal Area Network)
11...f0 1f af 38 ba ff ......Intel(R) 82579LM Gigabit Network Connection
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.242 281
0.0.0.0 0.0.0.0 172.27.160.1 172.27.191.214 2
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.27.160.0 255.255.224.0 On-link 172.27.191.214 257
172.27.191.214 255.255.255.255 On-link 172.27.191.214 257
172.27.191.255 255.255.255.255 On-link 172.27.191.214 257
192.168.43.0 255.255.255.0 On-link 192.168.43.242 281
192.168.43.0 255.255.255.0 172.27.160.1 172.27.191.214 2
192.168.43.1 255.255.255.255 On-link 192.168.43.242 26
192.168.43.242 255.255.255.255 On-link 192.168.43.242 281
192.168.43.255 255.255.255.255 On-link 192.168.43.242 281
198.206.246.225 255.255.255.255 192.168.43.1 192.168.43.242 26
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.43.242 281
224.0.0.0 240.0.0.0 On-link 172.27.191.214 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.43.242 281
255.255.255.255 255.255.255.255 On-link 172.27.191.214 257
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.27.160.1 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 41 ::/0 fe80::b8d7:afff:fe7f:9d03
17 21 ::/0 On-link
1 306 ::1/128 On-link
12 33 2600:100d:b127:bc2d::/64 On-link
17 21 2600:100d:b127:bc2d::/64 On-link
12 281 2600:100d:b127:bc2d:d2:aa8e:104e:9467/128
On-link
12 281 2600:100d:b127:bc2d:6536:63ca:eeff:b2c7/128
On-link
17 276 fe80::/64 On-link
12 281 fe80::6536:63ca:eeff:b2c7/128
On-link
17 276 fe80::9039:3fe3:334d:4788/128
On-link
17 276 fe80::a960:75ba:2783:2bb9/128
On-link
1 306 ff00::/8 On-link
12 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

 

[WBRawr]

I don't use Cisco AnyConnect for my corporate VPN client, but is it normal to see the persistent route when connected to AnyConnect? Does it disappear when not connected?

===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.27.160.1 1
===========================================================================

The persistent route seems to be a byproduct of AnyConnect

 

[dave14305]

It's interesting that the biggest difference in the 2 outputs is in the IPv6 routing table when using the hotspot. Were you able to access the internet then, as expected?

 

[kfp]

- I'm on fiber so no modem to connect to

That’s not always the case; some ISPs do actually run fibre to the premises where end users would have access to a GPON modem (which connects to their router).

I’m guessing you simply connect to an ethernet jack on the wall? If you have a switch or can withstand the brief downtime for the rest of your network, could you try plugging in your laptop to the wall directly and see if your VPN+split works?

Testing it this way is to eliminate the Asus from the equation; it might be some ISP specific configuration that’s causing the problem.

And as @dave14305 stated, it’ll be helpful to know if VPN+split is working when your laptop is connected to mobile hotspot.

 

[WBRawr]

That’s not always the case; some ISPs do actually run fibre to the premises where end users would have access to a GPON modem (which connects to their router).

I’m guessing you simply connect to an ethernet jack on the wall? If you have a switch or can withstand the brief downtime for the rest of your network, could you try plugging in your laptop to the wall directly and see if your VPN+split works?

Testing it this way is to eliminate the Asus from the equation; it might be some ISP specific configuration that’s causing the problem.

And as @dave14305 stated, it’ll be helpful to know if VPN+split is working when your laptop is connected to mobile hotspot.

Long story short - I rendered my RT-N66U inoperable while playing with some settings (not sure how still). Quick trip to the local big box electronic store and voila, new Netgear router with no VPN internet access issues.

For whatever reason that router with asuswrt doesn't play well with AnyConnect passthrough.

Thanks for the support in the meantime but unfortunately I ended up replacing the router anyway.

 

[dave14305]

Congratulations. Out of curiosity, are you using the same local network IP range on the NetGear router as on the old Asus router (192.168.1.0/24)? Still puzzling a bit over this issue, but I'll get over it.

 

[WBRawr]

Congratulations. Out of curiosity, are you using the same local network IP range on the NetGear router as on the old Asus router (192.168.1.0/24)? Still puzzling a bit over this issue, but I'll get over it.

Yes, using the same address ranges and assigned addresses where applicable.

 

[Dan-H]

Long story short - I rendered my RT-N66U inoperable while playing with some settings (not sure how still). Quick trip to the local big box electronic store and voila, new Netgear router with no VPN internet access issues.

For whatever reason that router with asuswrt doesn't play well with AnyConnect passthrough.

Thanks for the support in the meantime but unfortunately I ended up replacing the router anyway.

Glad you got it sorted. Late to this thread, but for what it is worth, I had no issues with Cisco AnyConnect on windoze or MacOSX on my RT-N66U running merlin.

 

[kfp]

Glad you got it sorted. Late to this thread, but for what it is worth, I had no issues with Cisco AnyConnect on windoze or MacOSX on my RT-N66U running merlin.

Is your IPsec passthrough on or off?