Cisco AnyConnect VPN Client, Debian 5.0.3 and Firefox

After you connect to VPN using Cisco Anyconnect on Debian 5.0.3, you are able to ping, traceroute and browse the Internet using Google Chrome but Mozilla Firefox, FTP, Dig, Telnet and Thunderbird won’t work

Resolution:

I had to troubleshoot this issue for a customer. During that I ran Wireshark, tcpdump and Microsoft Network Monitor traces on Debian, Ubuntu and Microsoft Windows hosts and came up with the conclusion and proposed solutions. At the end it was shown that IPv6 didn’t seem to be compatible with Cisco Anyconnect on Debian 5.0.3. The solution was to make the host machine totally rely on IPv4 for DNS resolution – in another word disable IPv6.

Before you disable IPv6 in Debian and to confirm the above finding, try to disable IPv6 in Firefox only and test. Here how you can do it:

Open Firefox and in the address bar type about:config, then confirm warning message, go to the line network.dns.disableIPv6 and change to true.

If that makes Firefox work, then go ahead and disable it in the operating system so other programs such as Thunderbird, telnet and FTP work. You can Google how to disable IPv6 in Debian and that should fix it for you. I didn’t want to write about that because you couldfind 100s of links about how to disable IPv6 in Linux/Debian.

One other method that worked for me while testing (but might not work for everybody) is to change MTU packet size of Ethernet 0 to 1200 from 1499. MTU 1200 is recommended by Cisco. Also IPv6 minimum MTU requirement is 1280 so by setting it to 1200, that might stop the use of IPv6

sudo /sbin/ifconfig eth0 mtu 1200

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.