Solved

VPN and NPA Not Happy Together

  • 23 November 2023
  • 5 replies
  • 236 views
C
Badge +7

Hi Everyone,

 

Have an issue where remote NS clients have the following environment and in this order:

1. IPv4 and IPv6 addresses assigned (eg. from home wifi or mobile hotspot)

- The IPv6 address assigned (global internet address starts with 2001:xxx)

2. NPA Tunnel is established

3. Connect to corporate VPN service

4. Clients are then unable to access applications via the VPN

 

NPA applications continue to operate successfully but the NS client service appears to interfere with the VPN tunnel.

 

Stop the NS client service and there is no issue with the VPN.

 

Disable IPv6 and the VPN and NPA work successfully, this is not recommended by Microsoft so not really a desirable option.

 

Have tried to configure clients to 'Prefer IPv4 over IPv6' this was looking promising but not producing reliable results. Issue still appears to randomly occur, still testing this.

 

Anyone else experience this issue?

icon

Best answer by Curious 5 December 2023, 02:27

View original

5 replies

C
Badge +4

We have been experiencing this issue as well. We would just disable ipv6 on the workstations that it occurred on, but like you said it's not recommended by Microsoft so it's not desirable. 

Christopher S.
C
Badge +7

Hi @csowell 

 

Which VPN solution are you using?

 

Ours is F5 which has been solid for many years now. Issue has recently occurred with the use of NPA. Our NPA published apps are ok. It appears the Netskope client is not playing nicely with the use of the F5 VPN... but only when I published AD/Domain Services as per the Netskope KB.

 

Disabling IPv6 resolves the issue but I don't want to disable this for hundreds of users.

 

Thank you

C
Badge +7

Issue has now been resolved.

 

On the F5 VPN configuration

Enforce DNS search order : enable
DNS Default Domain Suffix : remove all items

 

Can now publish the AD Domain Services via NPA as per the NS KB. 

C
Badge +4

We are using Global Protect, after talking with our Netskope SE he was saying to make a steering exception. Fortunately we haven't had any more issues with it, at least none reported to me anyways. 

 

https://docs.netskope.com/en/netskope-help/netskope-client/netskope-client-interoperability/vpn-applications/palo-alto-globalprotect/

Christopher S.
E
Badge +4

We’ve been seeing similar issues with Cisco Anyconnect/Secure Client on IPv6 networks as well, but actually both with and without NPA enabled on the Windows client.

We have tried configuring the client-bypass protocol option in the Cisco client, as discussed here, to disable IPv6, and we have confirmed that it does black hole IPv6 traffic as expected, but we still see both A and AAAA DNS queries going over the wire, A via VPN and AAAA locally over IPv4 on the IPv6 enabled LAN.

What we observed in packet captures was a race condition in Windows between the A and AAAA queries, as discussed here.

We changed Windows settings to prefer IPv4 over IPv6 and then disabled parallel A and AAAA queries, which resolved the issue.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" -Name DisabledComponents -Value 0x20 -Type DWord

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" -Name DisableParallelAandAAAA -Value 1 -Type DWord
 

Reply


Terms & ConditionsCookie settings