Windows 10 and Cisco AnyConnect reconnect behaviour

My company provides me with a Windows 10 based Laptop and the Cisco AnyConnect client in order to connect to Corporate facilities such as Email, Intranet and Business Apps. I’d recently uplifted my version of Win10 to 1709 (Corp allows both SCCM WSUS and Microsoft online updating and I’m allowed local device admin rights) and noticed that the AnyConnect client would always Connect then Reconnect and Reconnect again which was annoying, especially as I’ll only VPN in when at home or working at a client side.

Googling around suggested that IPv6 was the issue but disabling that in the Virtual Network Adapter that AnyConnect sets up didn’t change the behaviour. No other ideas sprang to mind so I re-ran the connect scenario as it was reproducible at the same time capturing a network trace with Wireshark. I also generated the AnyConnect client diagnostics using the ‘DART’ tool. Then settled down for an hour to run a side-by-side comparison. It looks like AnyConnect enumerates all the physical network interfaces, sets up it’s connection to the Secure Gateway (ie. VPN Server appliance) then later on finds another physical network interface which causes the entire configuration to be torn done and the VPN connection reestablished – twice.

The new physical interface was a vSwitch but one that had IP addresses allocated from the pool handed out by the Secure Gateway which was odd as that suggested it was AnyConnect’s own configuration causing the behaviour. It did however make me recall that I have client Hyper-V enabled and by default a vSwitch is created for my Hyper-V based VM. I disabled the client Hyper-V feature and now no longer get the 3-connect scenario.

Yay – success, but then I’m struggling to remember whether this was an issue with the 1703 build of Win10 as that was when I first enabled client Hyper-V. I don’t think so as it was annoying enough for me to diagnose, so I would have done so in the 1703 timeframe. Now it’s a call on which I want more – a quiet VPN connect or client Hyper-V? As I have an MSDN subscription and can create VM’s to my heart’s content in Azure I’m going with quiet VPN…

Microsoft Windows 10 1703 Build 16299.64
Cisco AnyConnect Secure Mobility Client 4.3.04027

Laters,
Matt

About Matt Sinfield

Work in the IT industry but have a couple of hobbies, Snowboard, Kitesurf and of course XBox
This entry was posted in Work. Bookmark the permalink.

2 Responses to Windows 10 and Cisco AnyConnect reconnect behaviour

  1. Nathan says:

    HyperV is required for CredGueard, correct? Is there a way to just get rid of the adapter?

    • Andrew M says:

      It wasn’t and issue with 1703 as there was not a default virtual network NAT setup by Hyper-V until 1709 (from memory). And no, there is no way to get rid of the adapter as it gets created each time the Hyper-V service starts, even if the other adapter is simply disabled! Not an issue with other VPN clients, so urgently need Cisco to address this issue and differentiate between virtual and physical connections – which other VPNs seem to be able to do perfectly well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s