1

I'm on Mac OS 11.6.5 Big Sur running a Windows 2019 Server guest from VM Ware fusion 12.2.3. The VPN is Cisco AnyConnect Secure Mobility Client 4.10.00093.

My local network is on 10.0.0.0/24

The VM is network is set to "Share with my mac" NAT and is on DHCP. The address assigned is 172.16.249.128

With the VPN not connected, I can access services from the host to the guest. e.g. access a web server on the windows vm.

However as soon as I connect the VPN, I loose access to the VM. From inside the VM I can access the WAN but nothing from the VPN. What's worse is after disconnecting the the VPN, I still can't access the VM. Restarting Fusion's services doesn't work and I end up having to reboot the mac.

The Cisco config is supplied by our company IT. They have advised it's setup for split tunneling: 10.0.0.0/8, 194.xx.xx.0/21, some ranges in 192.168.0.0 -> tunnel, Anything else -> to default route (normally internet)

I've ready a bunch of fusion community posts that have similar issues, but they have all been patched as of fusion 12.2.3, afaik. Of course all this was working before Apple changed to NetworkExtension framework.

Any ideas on how I can get this working?

Improve this question

1 Answer 1

Reset to default
0

If your local network is 10.0.0.0/24, it would seem the Cisco VPN is capturing this, and routing all outgoing traffic over the tunnel (10.0.0.0/8 includes 10.0.0.0/24) When the VPN tunnel is up, all traffic from your Mac bound for your local network ought to go over the VPN tunnel. You can check this by activating the VPN and attempting to access something else on your network (printer maybe?) I expect the connection will fail.

Since the 172.16.249.128 that Fusion is using for your VM falls inside the 172.16.0.0/12 network space identified by RFC-1918 one would expect that it is not going to be affected by your VPN tunnel. However Fusion has to set up a routing rule on your machine that says that traffic bound for 172.16.249.128 needs to be NATted to your local IP in the 10.0.0.0/24. Since this range is captured by the VPN tunnel, the traffic is instead routed over the tunnel.

As for why this behavior persists even after the tunnel is torn down, and the AnyConnect client has been quit... Well, that is a long story. Cisco does a terrible job of cleaning up routes when the AnyConnect client is quit.

Possible solution: move your local subnet to something outside the ranges captured by that split tunnel. You could for example make your home network 172.16.0.0/24, and your NATted VPN network 172.16.1.0/24. I expect then that everything will work swimmingly, and you will also have access to your (printer? or other devices) to boot!

To confirm the above is correct, do the following:

  1. Restart the computer, post the result of netstat -rn
  2. Launch your Fusion VM, post the result of netstat -rn
  3. Start AnyConnect and bring the tunnel up. Post the result of netstat -rn
  4. Quit Any Connect and post the result of netstat -rn
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .