Strange Win7-behavior with AnyConnect and Ipv6

I think Windows 7 behaves strange with AnyConnect and IPv6

 

I have recently been doing a lot of ipv6-configurations and as part of that I tried out the ipv6-support in the Cisco Anyconnect-client. While doing that I found out a lack of functionality when it comes to ipv6 in combination with Windows 7 and the Aynconnect-client.

 

Since I have no native v6-support from my ISP I have an ipv6-tunnel from sixxs.net, providing my with my own /48-prefix network. An internal linux-host on my home networks serves as an ipv6 default-gateway and my home ASA firewall has an ipv6 default-route pointing towards that machine.

 

I have been abroad for a few days and fooled around with the Anyconnect while wasting time at the hotel room, and what I found out is a bit strange. Windows simply doesnt care about the Aynconnect v6-address when it comes to DNS lookups.

 

The ASA firewall at home has been configured with an v6-address on the inside interface and a default-route as stated above. I have added an ipv6-pool in addition to the normal ipv4 vpn-pool configured in my DfltGrpPolicy and my VPN-clients gets an v6-address as well as an v4-address:

 



So I have a Windows7-client with ipv4-only configured on the nic, and dual-stack configured on the tunnel-interface. Look what happens when I try to resolve an hostname that only has an A-record (that is, v4):

 



The wireshark-capture prooves that only an A-record is resolved:

 



On the other hand, when I manually resolves an AAAA-record (v6) I get an instant lookup:

 



And the corresponding wireshark-capture:

 



Also, when I enter http://[2a00:1450:8001:63] in an browser I get the Google web-page.

 

So: My client has full connectivity with both v4-internet and v6-internet. Still, I cannot reach v6-internet in a decent way since windows doesnt resolve AAAA-records.

 

Shouldnt it do lookups of both AAAA and A-record as it would if I had dual stacks configured on the ordinary nick? Is this something wrong in Windows? Or in the Anyconnect-client? Or have I done something wrong?

 

Enlighten me!



Tagged with: , , ,
Posted in Cisco Security

Leave a Reply

Your email address will not be published.

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test