How to Fix Cisco AnyConnect VPN Blocking Access to Multi-homed Server IPs (Except Primary Address)


3 views

When using Cisco AnyConnect VPN with multi-homed servers (servers having multiple IP addresses), we encounter an annoying limitation: the VPN connection blocks access to all secondary IP addresses while maintaining access only to the primary IP address of the target machine.

This behavior occurs because Cisco AnyConnect modifies the routing table in a way that doesn't properly account for multi-homed configurations. Here's what's happening under the hood:

Before VPN Connection:
10.0.0.0       255.255.0.0     10.0.1.1       10.0.1.108     25
10.0.1.0       255.255.255.0   10.0.1.108     10.0.1.108     25

After VPN Connection:
192.168.199.0  255.255.255.0   192.168.199.20 192.168.199.20 1
10.0.0.0       255.255.0.0     10.0.1.1       10.0.1.108     25
10.0.1.0       255.255.255.0   10.0.1.108     10.0.1.108     25

Option 1: Manual Route Addition

After connecting to VPN, manually add specific routes:

route add 10.0.1.17 mask 255.255.255.255 10.0.1.1 -p
route add 10.0.1.22 mask 255.255.255.255 10.0.1.1 -p
route add 10.0.1.108 mask 255.255.255.255 10.0.1.1 -p

Option 2: VPN Profile Modification

Edit the VPN profile XML file (typically in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) to include:

<LocalNetwork>
    <Network>10.0.1.0/24</Network>
</LocalNetwork>

Option 3: Scripted Solution

Create a post-connection script (Python example):

import os
import subprocess

def add_vpn_routes():
    target_ips = ["10.0.1.17", "10.0.1.22", "10.0.1.108"]
    gateway = "10.0.1.1"
    
    for ip in target_ips:
        subprocess.run(f"route add {ip} mask 255.255.255.255 {gateway} -p", shell=True)

if __name__ == "__main__":
    add_vpn_routes()

Cisco's implementation prioritizes security over functionality in multi-homed environments. The VPN client creates routes that effectively bypass the local network adapter for all traffic except the primary IP address. This is particularly problematic when:

  • Using servers with multiple service bindings
  • Running containers with bridged networking
  • Maintaining legacy systems with multiple IP assignments

For organizations needing reliable access, consider:

  1. Pushing custom routes via Group Policy
  2. Using Cisco's Network Visibility Module (NVM)
  3. Implementing split-tunnel configurations

Remember that these solutions may have security implications and should be reviewed with your network security team.

When working with multi-homed servers (servers with multiple IP addresses assigned to a single network interface), Cisco AnyConnect VPN exhibits a peculiar behavior where only the primary IP address remains accessible after VPN connection establishment. Let's examine the technical specifics:

C:\\>ping 10.0.1.4  # Primary IP - works
Reply from 10.0.1.4: bytes=32 time=1ms TTL=128

C:\\>ping 10.0.1.17 # Secondary IP - fails
Request timed out

The core issue stems from how AnyConnect modifies the routing table while preserving existing routes. Here's what a typical routing table looks like post-connection:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.0.0.1        10.0.0.138     25
         10.0.0.0      255.255.0.0         On-link         10.0.0.3    281
        10.0.0.3  255.255.255.255         On-link         10.0.0.3    281
      192.168.199.0    255.255.255.0         On-link     192.168.199.20    281

While Cisco officially states this configuration isn't supported, several technical workarounds exist:

1. Manual Route Addition (PowerShell)

Add persistent routes for the secondary IPs after VPN connection:

# PowerShell script to add routes
$secondaryIPs = @("10.0.1.17","10.0.1.22","10.0.1.108")
foreach ($ip in $secondaryIPs) {
    route -p add $ip mask 255.255.255.255 10.0.0.3 metric 1
}

2. AnyConnect Profile Modification

Edit the AnyConnect profile XML to adjust split-tunneling behavior:

<AnyConnectProfile>
  <ClientInitialization>
    <UseStartBeforeLogon>false</UseStartBeforeLogon>
    <StrictCertificateTrust>false</StrictCertificateTrust>
    <LocalLanAccess>true</LocalLanAccess>
  </ClientInitialization>
  <ServerList>
    <HostEntry>
      <HostName>vpn.example.com</HostName>
      <HostAddress>vpn.example.com</HostAddress>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>

For advanced users, modifying Windows registry can help:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DisableDHCPMediaSense"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnagent]
"AllowLocalLAN"=dword:00000001

Consider these architectural changes:

  • Implement VLAN tagging for secondary IPs
  • Configure a network bridge for the multi-homed interface
  • Use a virtual switch if running in a hypervisor environment

For complete implementation details, network captures showing the ARP behavior before/after VPN connection would be valuable for deeper diagnosis. Remember to test all changes in a non-production environment first.