If you are a network engineer in this day and age, then you are probably familiar with and regularly using IPv6 (at least on your home lab network). I personally run my home network dual-stacked and have been recently annoyed by how VPN clients (mostly Cisco AnyConnect) handle dual-stacked clients. I have found that when left unconfigured (using defaults), AnyConnect likes to dump all IPv6 traffic silently on dual-stacked clients. This causes IPv6 enabled public websites and services (just the unpopular ones…like Google, YouTube, Facebook, etc) to hang while trying to connect using the looked up AAAA DNS record.
Here are a few tricks I have found to configure AnyConnect to properly handle dual-stacked clients to keep those eyeballs happy. The IPv6 must flow!
Using Local Internet
If your VPN is configured as a “split tunnel” which does not tunnel internet-bound traffic back over the VPN, then you will likely want to use this in your configuration as it has AnyConnect allow the client to send all their IPv6 traffic directly out the clients own internet connection.
If you do tunnel all internet traffic over the VPN, but do not have IPv6 capabilities on the VPN concentrator, then this may still be the solution for you. Keep in mind that if you are tunneling all IPv4 traffic back to the concentrator so you can perform filtering, then this solution may bypass that filtering for IPv6 traffic since it will not get sent over the tunnel.
This method is a good baseline configuration to use on any installation where internet traffic does not need to be filtered centrally as it prepares the AnyConnect system to properly handle IPv6-enabled clients.
What It Does:This configuration example will enable IPv6 over the VPN and assign an address to your VPN clients. It will then setup a split tunnel for IPv6 to tunnel over only the 1::1/64 network (which isn’t used). This tells the VPN client to exclude all other IPv6 traffic from the tunnel, allowing the PC to use the local internet for IPv6.
Group-policy mode commands/options: excludespecified Exclude only networks specified by split-tunnel-network-list tunnelall Tunnel everything tunnelspecified Tunnel only networks specified by split-tunnel-network-list. Could it really be that simple to change the policy to tunnelall? Or has people run into issues where that doesnt work as intended? Not sure if you have already resolved this problem or not but based on your split tunnel config you have split-tunnel-all-dns disabled - which means 'Client will resolve DNS queries depending on the split-tunnel and split-dns policies' at the same time you are using ACL to specify which IP Address should be send through tunnel.