Introduction
The Umbrella roaming client and AnyConnect roaming security module both include an optional feature called IP Layer Enforcement (IPLE). This creates an IPSec tunnel to apply security to direct-to-IP connections in addition to DNS layer protection by the clients.
This article applies to those using IPLE and AnyConnect as a VPN solution - both for standalone and AnyConnect integrated roaming clients. Users with the follwing configuration are targeted for this article:
- Windows OS User
- AnyConnect VPN user
- Split tunneling configuration
- split-exclude configurations
- Includes dynamic split tunneling!
Issue description and impacts
An uncommon but impactful occurrence when using AnyConnect and IPLE is a failure to connect to the VPN. This will be consistent for any active user of IPLE, for connections occurring while IPLE is active. Anyconnect will spin attempting to connect and eventually fail with a generic failure message or an error regarding being unable to verify or confirm routes.
Impacts are primarily a failure to connect to the VPN when desired, impacting productivity.
Confirmation and Resolution
If you are seeing connection issues on AnyConnect after enabling IPLE, see the following steps for confirming the issue.
The issue typically will be isolated to a single IP on the split tunneling list - which is also on our IPLE enforcement list. For this example, 40.90.137.125 is being used. This is a Microsoft IP occasionally caught in our IP layer graylist for customer hosted content.
Firstly, open up the log at: %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\data\acumbrellaagent.log after the issue occurs. There is also a log.1 and log.2 history maintained.
Look for the following log lines:
2020-11-19 15:23:31 [7212] [DEBUG] < 17> IP BLOCKING: route for 40.76.218.33/32 was removed, but it isn't a route that we manage
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: route was added with unexpected interface index for 40.90.137.125/32, so add a block rule and remove the route...
It will frequently be followed up by repeated entries for the same IP
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: route was added with unexpected interface index for 40.90.137.125/32, so add a block rule and remove the route... |
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: removed route for 40.90.137.125/32 over interface 5 |
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: route was added with unexpected interface index for 40.90.137.125/32, so add a block rule and remove the route... |
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: removed route for 40.90.137.125/32 over interface 5 |
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: route was added with unexpected interface index for 40.90.137.125/32, so add a block rule and remove the route... |
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: removed route for 40.90.137.125/32 over interface 5 |
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: route was added with unexpected interface index for 40.90.137.125/32, so add a block rule and remove the route... |
2020-11-19 15:23:31 [7212] [INFO ] < 17> IP BLOCKING: removed route for 40.90.137.125/32 over interface 5 |
If you see entries such as this, and VPN connection is impacted, this confirms that this is the issue you are experiencing.
Resoution
To fix the issue immediately, add the IP address to your Allow list*. If you believe the IP to be safe, submit a security review to us to confirm if the IP is malicious.
Both resolutions will resolve the issue by removing the IP from the enforcement list - ceding control of the IP back to AnyConnect.
*Adding IPs to the allow list is currently not available to all users. To opt in, contact umbrella-support@cisco.com and ask to be placed on our third wave of release.
Comments
0 comments
Please sign in to leave a comment.