Thursday, January 28, 2021

WSL2 AnyConnect Network Issue Fix

Ran into this issue a while back and finally figured out a couple of fixes. WSL2 would lose network connectivity *sometimes* when connecting to our company's Cisco AnyConnect VPN client. After some digging, I discovered that, when connected to AnyConnect, a new WSL2 network gateway was added with a lower metric by AnyConnect, thus routing WSL2 network traffic over the VPN instead of locally. 

UPDATE: I noticed that this only occurred when I had enabled internet sharing between my primary network interface and the WSL2 network adapter. I enabled sharing previously because I believe it had resolved some other issue, but when I disabled internet sharing, AnyConnect no longer created the new gateway route and everything worked fine...go figure

Here's my WSL2 network (172.20.144.0/20) in the Windows route table when not connected to AnyConnect:


Here's my WSL2 network (172.20.144.0/20) in the Windows route table when connected to AnyConnect:


For some reason AnyConnect creates a new, additional gateway for the 172.20.144.0/20 network. Since this new route was created by AnyConnect, it also has a lower metric than the On-Link gateway metric of 257. Thus, it takes priority over the On-Link gateway and sends the traffic over the VPN instead of routing it locally.


Temporary Fix #1

Found this while Googling and seems to be the most popular fix. Basically, it's a PowerShell command that changes the metric of the routes added by the AnyConnect network interface.

Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 4000

This command will set routes created by the AnyConnect network interface to 4000. There's nothing magical about 4000, the new metric just needs to be higher than the local On-Link metric to make it less preferred (route with the lowest metric is preferred).

After running the PowerShell command, I ran route print 172.20.144.* to confirm the metric update:



Now, we're back in business...until you reboot, reconnect or wake from sleep, then you need to run the command again :(


Temporary Fix #2

I you prefer using the GUI, then you can adjust the metric through the control panel instead. I haven't found a way to make this permanent though, if anyone knows how, please let me know.

Go to Control Panel > Network and Sharing Center > Change adapter settings > Cisco AnyConnect Secure Mobility Client Connection > Properties > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced and set the metric to a number higher than your current On-Link metric. In the example, I'm setting the metric to be 500:


And now my route table reflects the change:




Posted by at

2 comments:

  1. J TSeptember 24, 2021 at 5:14 PM

    Does this still work for you? I find it ignores the interface metric and routes over it regardless.

    ReplyDelete
    Replies
    1. stoneSeptember 25, 2021 at 8:46 AM

      Sometimes it requires me to reconnect AnyConnect before it will take effect, might be related to when the PC sleeps, not 100% though.

      Delete

Subscribe to: Post Comments (Atom)