A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.
Can U reproduce the problem & if so how reliably?:
Yes, always.
If U can, exact steps to reproduce. If not, exactly what U did & what happened: 1: Install Windows 8.1 Pro x64 2: Install Cisco AnyConnect Secure Mobility Client v3.1.05152 VPN client (downloaded from this page) 3: Install CIS 7.0.313494.4115 4: VPN client connects to server, but cannot pass any VPN traffic at all 5: The VPN network is not detected by CIS either
If not obvious, what U expected to happen:
VPN traffic should work, CIS should detect VPN network
If a software compatibility problem have U tried the conflict FAQ?:
Yes
Any software except CIS/OS involved? If so - name, & exact version:
No
Any other information, eg your guess at the cause, how U tried to fix it etc:
Disabling the firewall or even exiting CIS completely does not help. Just having CIS installed breaks Cisco VPN traffic.
The only thing that helps is to uncheck “COMODO Internet Security Firewall Driver” from the Cisco AnyConnect Secure Mobility Client Connection network adapter. This will let the VPN traffic flow through but obviously it will not offer any protection from the Comodo Firewall.
I tried and older Cisco AnyConnet v3.0.08057 client. That works with CIS 7, the VPN traffic is passed through without disabling the CIS driver, but the CIS Firewall offers NO protection, a port scan from the VPN side shows a lot of open ports.
[/ol]
B. YOUR SETUP
[ol]- Exact CIS version & configuration:
CIS 7.0.313494.4115 Default Internet Security Configuration
Have U made any other changes to the default config? (egs here.):
No
Have U updated (without uninstall) from CIS 5 or CIS6?:
No – new machine, fresh install
[li]if so, have U tried a a clean reinstall - if not please do?:
n/a
[/li]- Have U imported a config from a previous version of CIS:
No
[li]if so, have U tried a standard config - if not please do:
n/a
[/li]- OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 8.1 Pro x64 all updates
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
No
[/ol]
Also, please attach a diagnostics report to your first post. If you have any questions about how to do that please feel free to ask.
Sorry but I will not post a diagnostics report in a public forum. I’m not sure what info might leak with it and I do value my privacy. I hope you understand. If a Comodo developer wants to get in touch with me, please PM me and we’ll take it from there.
I understand your concerns about the diagnostics report, although as far as I know no private information is shared. That said, I will not require that for this bug report. If the developers ask you for information, including a bug report, please do make sure you provide it to them.
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
I tried and older Cisco AnyConnet v3.0.08057 client. That works with CIS 7, the VPN traffic is passed through without disabling the CIS driver, but the CIS Firewall offers NO protection, a port scan from the VPN side shows a lot of open ports.
I would like to be able to be on VPN and consider the VPN connection ‘public’ so that all incoming connections are blocked, I just want to establish outgoing connection over the VPN link, I don’t need any incoming.
I tried BitDefender Internet Security and that works well as described above, so it is possible to do it. Even the Windows Firewall can do it. It shows the VPN connection as a different connection and it can be marked Public which will block any incoming connections.
There’s definitely some work here that needs to happen in the CIS Firewall to make it all work well with VPN.
Thanks! I’ve seen reports that CIS v6 also has issues, sad to see the problems haven’t been addressed for v7. I skipped v6 and used v5 on Win7 for a long time and that seemed to work as expected, but now that I moved to Windows 8.1 I need to use CIS v7 which unfortunately doesn’t work for my use case so I need to find a different firewall until CIS fixes this.
I should add that even though AnyConnect v3.0.x seems to work without turning off the CIS firewall driver, CIS does NOT protect you at all. If you do a port scan from the remote VPN side you will see lots of open ports, there’s no way to be stealth. I do not trust the other clients that might be on VPN at the same time as me so I’d like to be stealth on the VPN network, I have no use case where I want other VPN clients to be able to connect to me (and if I ever do I want to allow the incoming connection only when I need it).
I found that the Windows Firewall works best with Cisco VPN. 3rd party firewalls all seem to have one issue or another. Obviously Cisco only tests with the WF and makes sure it works well with it.
I have since removed CIS as it’s not useful in its current state and am using this tool to make controlling the WF easier:
The other thing I’ve been looking at as OpenConnect. There’s been a Linux version for a long time and now it looks like they will start supporting Windows too with the OpenVPN tun driver. Hopefully OpenConnect works better than the Cisco client (it works way better on Linux): http://www.infradead.org/openconnect/
I realize it may not be an option for everyone to use OpenConnect and get rid of Cisco VPN, just an option for those who like to try.
This issue still persists in version 7.0.317799.4142.
As others have mentioned, the VPN connection will establish successfully, but data will not flow through the VPN properly.
A packet capture on the VPN interface using Wireshark shows that the only packets seen are packets generated locally, and nothing is being received remotely. For this reason, the machine is trying to ARP for the remote gateway but is not receiving any responses.
Interestingly, a concurrent packet capture on the connection supporting the VPN connection (e.g. the native LAN connection) is not seeing any packets generated over TCP port 443 to the VPN server for all of those broadcast + ARP packets that were generated by the system on the VPN interface, leading me to think there is a conflict between how Comodo attaches to the network stack that is causing it not to return packets onto the right path.
If the Comodo driver is deselected on the adapter, traffic flows properly and traffic is seen flowing to the VPN server over TCP port 443. No difference was observed if the firewall was disabled w/o deselecting the driver on the adapter (i.e. the VPN does not work as long as the driver is enabled on its adapter, regardless of whether the firewall is turned on or off at the UI level).
This is tested on Windows 7 64-bit on the Cisco AnyConnect Secure Mobility Client 3.1.04072.
Thanks!
The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.
If you are able please check with the newest version (CIS version 8.0.0.4337) and let me know if this is fixed on your computer with that version.
so I need to find a different firewall until CIS fixes this.