Issues with Cisco AnyConnect VPN

Docker Desktop for Windows
1

Expected behavior

$ docker run hello-world
Unable to find image ‘hello-world:latest’ locally
latest: Pulling from library/hello-world
a9d36faac0fe: Pulling fs layer
a9d36faac0fe: Verifying Checksum
a9d36faac0fe: Download complete
a9d36faac0fe: Pull complete
Digest: sha256:e52be8ffeeb1f374f440893189cd32f44cb166650e7ab185fa7735b7dc48d619
Status: Downloaded newer image for hello-world:latest

Hello from Docker.
This message shows that your installation appears to be working correctly.

Actual behavior

$ docker run hello-world
Unable to find image ‘hello-world:latest’ locally
Pulling repository docker.io/library/hello-world
C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Network timed out while trying to connect to https://index.docker.io/v1/repositories/library/hello-world/images. You may want to check your internet connection or if you are behind a proxy…
See ‘C:\Program Files\Docker\Docker\Resources\bin\docker.exe run --help’.

Information

diagnostic upload: AA66970A-E2FF-40F0-BCDA-75EB52D7EB31/2016-06-21_13-13-28
When not connected to my corporate network via Cisco AnyConnect VPN 4.2.03x, I can pull and run images from docker.io.

When connected to the VPN, I cannot pull images from docker.io or my corporate internal registry.

I’m not behind a proxy.

Steps to reproduce the behavior

  1. connect to VPN
  2. docker run hello-world
2

Hi @maximusfloydus

thanks for your report. We don’t have a CISCO Anyconnect VPN setup to test ourselves and it would be great if you supply some additional information. From the logs/description it does look like there issue is mainly related to DNS, so could you provide the output of:

nslookup www.google.com
nslookup.exe www.google.com 10.0.75.1

This tries to perform a DNS lookup using the default name server and Docker for Windows builtin DNS forwarder.

Could you also try running the following command:

docker run -ti --rm alpine wget -O - http://216.58.213.164/

It will test basic IP connectivity from a container. For this to work, you’d have to pull the alpine image before you go onto the VPN, of course.

Finally, it would be interesting to know if you:

  1. Start Docker for Windows and then connect to the VPN, or,
  2. Connect to the VPN and then start Docker for Windows
    and it makes a difference if you do it the other way round.

Thanks a lot in advance for your help
Rolf

3

Hi @rneugeba,

I have the same issues behind the Cisco VPN. When I’m running

nsloogup www.google.com

I get

`Nicht autorisierende Antwort:
Server: dfbsvmdc01.intranet.fleetboard.com
Address: 10.30.2.201

Name: www.google.com
Addresses: 2a00:1450:4001:817::2004
172.217.16.196`

For the nslookup.exe www.google.com 10.0.75.1 I get:

`*** Zeit▒berschreitung bei Anforderung an UnKnown.
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.0.75.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.`

4

Hi here!

Those that are using a VPN, can you paste the output of those two commands?

  • nslookup localhost
  • Get-WmiObject Win32_networkadapterconfiguration | ? { $_.DefaultIPGateway } | fl *
5

Attached is the output for the commands @rneugeba and @dgageot requested.

Also, I could not get things to act differently with VPN first or Docker engine first.

output.txt (29.3 KB)

6

Same problem here… As requested, this is what i get:

PS C:\WINDOWS\system32> nslookup www.google.com
Server:  dnstsrv1.mitre.org
Address:  128.29.154.114

Non-authoritative answer:
Name:    www.google.com
Addresses:  2607:f8b0:400c:c0b::67
          173.194.214.104
          173.194.214.105
          173.194.214.106
          173.194.214.99
          173.194.214.103
          173.194.214.147

PS C:\WINDOWS\system32> nslookup.exe www.google.com 10.0.75.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.0.75.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.

PS C:\WINDOWS\system32> docker run -ti --rm alpine wget -O - http://www.google.com
Connecting to gatekeeper-w.mitre.org (128.29.43.1:80)
                                                     <!doctype html><html itemscope="" itemtype="http:/
ideos and more. Google has many special features to help you find exactly what you're looking for." nam
Type"><meta content="/logos/doodles/2017/gilbert-bakers-66th-birthday-6016396013076480.8-law.gif" itemp
 66th birthday! &#127987;&#127752; #GoogleDoodle" property="twitter:description"><meta content="Gilbert
image" property="twitter:card"><meta content="@GoogleDoodles" property="twitter:site"><meta content="ht
...

PS C:\WINDOWS\system32> nslookup localhost
Server:  dnstsrv1.mitre.org
Address:  128.29.154.114

Name:    localhost.mitre.org
Address:  127.0.0.1

PS C:\WINDOWS\system32> Get-WmiObject Win32_networkadapterconfiguration | ? { $_.DefaultIPGateway } | fl *


PSComputerName               : MM206678-PC
DHCPLeaseExpires             :
Index                        : 0
Description                  : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
DHCPEnabled                  : False
DHCPLeaseObtained            :
DHCPServer                   :
DNSDomain                    : mitre.org
DNSDomainSuffixSearchOrder   : {mitre.org, mitre.org, MITRE.ORG, home}
DNSEnabledForWINSResolution  : False
DNSHostName                  : MM206678-PC
DNSServerSearchOrder         : {128.29.154.114, 129.83.20.114}
DomainDNSRegistrationEnabled : False
FullDNSRegistrationEnabled   : True
IPAddress                    : {172.31.168.234}
IPConnectionMetric           : 1
IPEnabled                    : True
IPFilterSecurityEnabled      : False
WINSEnableLMHostsLookup      : True
WINSHostLookupFile           :
WINSPrimaryServer            : 128.29.239.2
WINSScopeID                  :
WINSSecondaryServer          : 129.83.25.1
__GENUS                      : 2
__CLASS                      : Win32_NetworkAdapterConfiguration
__SUPERCLASS                 : CIM_Setting
__DYNASTY                    : CIM_Setting
__RELPATH                    : Win32_NetworkAdapterConfiguration.Index=0
__PROPERTY_COUNT             : 61
__DERIVATION                 : {CIM_Setting}
__SERVER                     : MM206678-PC
__NAMESPACE                  : root\cimv2
__PATH                       : \\MM206678-PC\root\cimv2:Win32_NetworkAdapterConfiguration.Index=0
ArpAlwaysSourceRoute         :
ArpUseEtherSNAP              :
Caption                      : [00000000] Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
DatabasePath                 : %SystemRoot%\System32\drivers\etc
DeadGWDetectEnabled          :
DefaultIPGateway             : {172.31.160.1}
DefaultTOS                   :
DefaultTTL                   :
ForwardBufferMemory          :
GatewayCostMetric            : {1}
IGMPLevel                    :
InterfaceIndex               : 5
IPPortSecurityEnabled        :
IPSecPermitIPProtocols       : {}
IPSecPermitTCPPorts          : {}
IPSecPermitUDPPorts          : {}
IPSubnet                     : {255.255.224.0}
IPUseZeroBroadcast           :
IPXAddress                   :
IPXEnabled                   :
IPXFrameType                 :
IPXMediaType                 :
IPXNetworkNumber             :
IPXVirtualNetNumber          :
KeepAliveInterval            :
KeepAliveTime                :
MACAddress                   : 00:05:9A:3C:7A:00
MTU                          :
NumForwardPackets            :
PMTUBHDetectEnabled          :
PMTUDiscoveryEnabled         :
ServiceName                  : vpnva
SettingID                    : {80A05A34-57CD-44FC-B1BE-B9871B0DF791}
TcpipNetbiosOptions          : 0
TcpMaxConnectRetransmissions :
TcpMaxDataRetransmissions    :
TcpNumConnections            :
TcpUseRFC1122UrgentPointer   :
TcpWindowSize                :
Scope                        : System.Management.ManagementScope
Path                         : \\MM206678-PC\root\cimv2:Win32_NetworkAdapterConfiguration.Index=0
Options                      : System.Management.ObjectGetOptions
ClassPath                    : \\MM206678-PC\root\cimv2:Win32_NetworkAdapterConfiguration
Properties                   : {ArpAlwaysSourceRoute, ArpUseEtherSNAP, Caption, DatabasePath...}
SystemProperties             : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers                   : {dynamic, Locale, provider, UUID}
Site                         :
Container                    :

PSComputerName               : MM206678-PC
DHCPLeaseExpires             : 20170603143013.000000-240
Index                        : 2
Description                  : Intel(R) Ethernet Connection I217-LM
DHCPEnabled                  : True
DHCPLeaseObtained            : 20170602143013.000000-240
DHCPServer                   : 192.168.1.1
DNSDomain                    :
DNSDomainSuffixSearchOrder   : {mitre.org, mitre.org, MITRE.ORG, home}
DNSEnabledForWINSResolution  : False
DNSHostName                  : MM206678-PC
DNSServerSearchOrder         : {192.168.1.1}
DomainDNSRegistrationEnabled : False
FullDNSRegistrationEnabled   : True
IPAddress                    : {192.168.1.55}
IPConnectionMetric           : 25
IPEnabled                    : True
IPFilterSecurityEnabled      : False
WINSEnableLMHostsLookup      : True
WINSHostLookupFile           :
WINSPrimaryServer            :
WINSScopeID                  :
WINSSecondaryServer          :
__GENUS                      : 2
__CLASS                      : Win32_NetworkAdapterConfiguration
__SUPERCLASS                 : CIM_Setting
__DYNASTY                    : CIM_Setting
__RELPATH                    : Win32_NetworkAdapterConfiguration.Index=2
__PROPERTY_COUNT             : 61
__DERIVATION                 : {CIM_Setting}
__SERVER                     : MM206678-PC
__NAMESPACE                  : root\cimv2
__PATH                       : \\MM206678-PC\root\cimv2:Win32_NetworkAdapterConfiguration.Index=2
ArpAlwaysSourceRoute         :
ArpUseEtherSNAP              :
Caption                      : [00000002] Intel(R) Ethernet Connection I217-LM
DatabasePath                 : %SystemRoot%\System32\drivers\etc
DeadGWDetectEnabled          :
DefaultIPGateway             : {192.168.1.1}
DefaultTOS                   :
DefaultTTL                   :
ForwardBufferMemory          :
GatewayCostMetric            : {0}
IGMPLevel                    :
InterfaceIndex               : 3
IPPortSecurityEnabled        :
IPSecPermitIPProtocols       : {}
IPSecPermitTCPPorts          : {}
IPSecPermitUDPPorts          : {}
IPSubnet                     : {255.255.255.0}
IPUseZeroBroadcast           :
IPXAddress                   :
IPXEnabled                   :
IPXFrameType                 :
IPXMediaType                 :
IPXNetworkNumber             :
IPXVirtualNetNumber          :
KeepAliveInterval            :
KeepAliveTime                :
MACAddress                   : F0:1F:AF:4F:92:0A
MTU                          :
NumForwardPackets            :
PMTUBHDetectEnabled          :
PMTUDiscoveryEnabled         :
ServiceName                  : e1dexpress
SettingID                    : {21A29144-E632-4B06-A3E4-D92F3C4960DF}
TcpipNetbiosOptions          : 0
TcpMaxConnectRetransmissions :
TcpMaxDataRetransmissions    :
TcpNumConnections            :
TcpUseRFC1122UrgentPointer   :
TcpWindowSize                :
Scope                        : System.Management.ManagementScope
Path                         : \\MM206678-PC\root\cimv2:Win32_NetworkAdapterConfiguration.Index=2
Options                      : System.Management.ObjectGetOptions
ClassPath                    : \\MM206678-PC\root\cimv2:Win32_NetworkAdapterConfiguration
Properties                   : {ArpAlwaysSourceRoute, ArpUseEtherSNAP, Caption, DatabasePath...}
SystemProperties             : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers                   : {dynamic, Locale, provider, UUID}
Site                         :
Container                    :