Cisco AnyConnect VPN Does Not Allow VPN Traffic [M940]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.

  • Can U reproduce the problem & if so how reliably?:
    Yes, always.
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
    1: Install Windows 8.1 Pro x64
    2: Install Cisco AnyConnect Secure Mobility Client v3.1.05152 VPN client (downloaded from this page)
    3: Install CIS 7.0.313494.4115
    4: VPN client connects to server, but cannot pass any VPN traffic at all
    5: The VPN network is not detected by CIS either
  • If not obvious, what U expected to happen:
    VPN traffic should work, CIS should detect VPN network
  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version:
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
    Disabling the firewall or even exiting CIS completely does not help. Just having CIS installed breaks Cisco VPN traffic.
    The only thing that helps is to uncheck “COMODO Internet Security Firewall Driver” from the Cisco AnyConnect Secure Mobility Client Connection network adapter. This will let the VPN traffic flow through but obviously it will not offer any protection from the Comodo Firewall.
    I tried and older Cisco AnyConnet v3.0.08057 client. That works with CIS 7, the VPN traffic is passed through without disabling the CIS driver, but the CIS Firewall offers NO protection, a port scan from the VPN side shows a lot of open ports.

[ol]- Exact CIS version & configuration:
CIS 7.0.313494.4115 Default Internet Security Configuration

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
    Default Internet Security Configuration
  • Have U made any other changes to the default config? (egs here.):
  • Have U updated (without uninstall) from CIS 5 or CIS6?:
    No – new machine, fresh install
    [li]if so, have U tried a a clean reinstall - if not please do?:
    [/li]- Have U imported a config from a previous version of CIS:
    [li]if so, have U tried a standard config - if not please do:
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
    Windows 8.1 Pro x64 all updates
  • Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

Did you download it from this page?

Also, please attach a diagnostics report to your first post. If you have any questions about how to do that please feel free to ask.



Also, please attach a diagnostics report to your first post. If you have any questions about how to do that please feel free to ask.

Sorry but I will not post a diagnostics report in a public forum. I’m not sure what info might leak with it and I do value my privacy. I hope you understand. If a Comodo developer wants to get in touch with me, please PM me and we’ll take it from there.

I understand your concerns about the diagnostics report, although as far as I know no private information is shared. That said, I will not require that for this bug report. If the developers ask you for information, including a bug report, please do make sure you provide it to them.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again.

Some more data that may help the developers:

I tried and older Cisco AnyConnet v3.0.08057 client. That works with CIS 7, the VPN traffic is passed through without disabling the CIS driver, but the CIS Firewall offers NO protection, a port scan from the VPN side shows a lot of open ports.

I would like to be able to be on VPN and consider the VPN connection ‘public’ so that all incoming connections are blocked, I just want to establish outgoing connection over the VPN link, I don’t need any incoming.

I tried BitDefender Internet Security and that works well as described above, so it is possible to do it. Even the Windows Firewall can do it. It shows the VPN connection as a different connection and it can be marked Public which will block any incoming connections.

There’s definitely some work here that needs to happen in the CIS Firewall to make it all work well with VPN.

Thanks. I have added this new information both to the first post and to the tracker.

Thanks! I’ve seen reports that CIS v6 also has issues, sad to see the problems haven’t been addressed for v7. I skipped v6 and used v5 on Win7 for a long time and that seemed to work as expected, but now that I moved to Windows 8.1 I need to use CIS v7 which unfortunately doesn’t work for my use case :frowning: so I need to find a different firewall until CIS fixes this.

Same problem here. Older (3.0.?) Cisco VPN client worked, current client (3.1.?) does not. CIS 6.3, Win 7 x64. Unchecking Comodo Firewall driver helps.

It helps but keep in mind you get no firewall protection so make sure you trust the VPN network.

drfie, thank you for letting me know this does not work for you as well. I have updated the tracker.

I should add that even though AnyConnect v3.0.x seems to work without turning off the CIS firewall driver, CIS does NOT protect you at all. If you do a port scan from the remote VPN side you will see lots of open ports, there’s no way to be stealth. I do not trust the other clients that might be on VPN at the same time as me so I’d like to be stealth on the VPN network, I have no use case where I want other VPN clients to be able to connect to me (and if I ever do I want to allow the incoming connection only when I need it).

same problem
win 8.1
win 7
comodo internet security 6 & 7
cisco anyconnect ver 3.1.05160

I found that the Windows Firewall works best with Cisco VPN. 3rd party firewalls all seem to have one issue or another. Obviously Cisco only tests with the WF and makes sure it works well with it.

I have since removed CIS as it’s not useful in its current state and am using this tool to make controlling the WF easier:

The other thing I’ve been looking at as OpenConnect. There’s been a Linux version for a long time and now it looks like they will start supporting Windows too with the OpenVPN tun driver. Hopefully OpenConnect works better than the Cisco client (it works way better on Linux):

I realize it may not be an option for everyone to use OpenConnect and get rid of Cisco VPN, just an option for those who like to try.

I have updated the tracker saying it’s still not fixed for CIS version 7.0.315459.4132. Thanks.

This issue still persists in version 7.0.317799.4142.
As others have mentioned, the VPN connection will establish successfully, but data will not flow through the VPN properly.
A packet capture on the VPN interface using Wireshark shows that the only packets seen are packets generated locally, and nothing is being received remotely. For this reason, the machine is trying to ARP for the remote gateway but is not receiving any responses.
Interestingly, a concurrent packet capture on the connection supporting the VPN connection (e.g. the native LAN connection) is not seeing any packets generated over TCP port 443 to the VPN server for all of those broadcast + ARP packets that were generated by the system on the VPN interface, leading me to think there is a conflict between how Comodo attaches to the network stack that is causing it not to return packets onto the right path.
If the Comodo driver is deselected on the adapter, traffic flows properly and traffic is seen flowing to the VPN server over TCP port 443. No difference was observed if the firewall was disabled w/o deselecting the driver on the adapter (i.e. the VPN does not work as long as the driver is enabled on its adapter, regardless of whether the firewall is turned on or off at the UI level).
This is tested on Windows 7 64-bit on the Cisco AnyConnect Secure Mobility Client 3.1.04072.

Thank you very much for doing all of this digging. I have updated the version noted in the tracker and passed this information on to the devs.

Thanks again.

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version and let me know if this is fixed on your computer with that version.

Thank you.

I can confirm that the bug is fixed in the new release :-TU

Comodo Internet Security Premium
Cisco AnyConnect Secure Mobility-Client Version
Windows 7

I’ve now closed this entry in the tracker and moved this report to Resolved. If this issue returns please respond to this topic and let me know.

Thank you.