cancel
Showing results for 
Search instead for 
Did you mean: 

WSL2 network connection breaks with Pulse Secure VPN

New Contributor

WSL2 network connection breaks with Pulse Secure VPN

My workstation setup is: Windows 10 (1909) + WSL2 (ubuntu) 

My Linux distribution connects to the external network. I can ping www.google.com, download packages with apt-get, and so on.

But, once I connect to the corporate VPN with Pulse Secure (9.1.5), connectivity suddenly stops:

 

Before connecting to VPN:

ut06609@ES28P01315583T1:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.135.17 0.0.0.0 UG 0 0 0 eth0
172.17.135.16 0.0.0.0 255.255.255.240 U 0 0 0 eth0
ut06609@ES28P01315583T1:~$ ping 172.17.135.17
PING 172.17.135.17 (172.17.135.17) 56(84) bytes of data.
64 bytes from 172.17.135.17: icmp_seq=1 ttl=128 time=0.410 ms
64 bytes from 172.17.135.17: icmp_seq=2 ttl=128 time=0.568 ms
^C
--- 172.17.135.17 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1031ms
rtt min/avg/max/mdev = 0.410/0.489/0.568/0.079 ms

 After connecting to VPN:

ut06609@ES28P01315583T1:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.135.17 0.0.0.0 UG 0 0 0 eth0
172.17.135.16 0.0.0.0 255.255.255.240 U 0 0 0 eth0
ut06609@ES28P01315583T1:~$ ping 172.17.135.17
PING 172.17.135.17 (172.17.135.17) 56(84) bytes of data.

^C
--- 172.17.135.17 ping statistics ---
320 packets transmitted, 0 received, 100% packet loss, time 331775ms

 

Note that I cannot even connect to the default gateway, which is the virtual network adapter for WLS:

PS C:\Users\UT06609> Get-NetIPConfiguration -InterfaceAlias "*WSL*"
InterfaceAlias       : vEthernet (WSL)
InterfaceIndex       : 66
InterfaceDescription : Hyper-V Virtual Ethernet Adapter #2
IPv4Address          : 172.17.135.17
IPv6DefaultGateway   :
IPv4DefaultGateway   :
DNSServer            : 10.144.145.179
                       10.144.57.198

I tried to "manipulate" the routing rules created by Pulse Secure (e.g. change metrics), but couldn't make it work. Is PulseSecure compatible with WSL2? If so, should I open a bug ticket (and how)?

 

Thank you in advance.

Aritz

 

 

 

Tags (1)
9 REPLIES 9
Frequent Contributor

Re: WSL2 network connection breaks with Pulse Secure VPN

Hello and thank you for your post.  Without knowing the specifics of the VPN policy for your company, I can only assume that your connection is set for FULL TUNNEL aka Disable Split Tunnel.  In other words, all traffic is sent down the tunneled interface to the appliance...this would include non-company related internet traffic.  In other words, you are basically a virtual node on your company's subnet as if you were in the office.  If your company doesn't explicitly allow traffic for sites and denies all non-company related traffic, this could explain the behavior you are seeing.  Again, this is speculation on my part.

 

There are also config options avialble to the VPN administrator where they can limit your access to local subnets on your home network.  You should consult your IT department to see if this is the case or not.

 

Thank you


Craig Brauckmiller

Escalation Manager

Pulse Secure

New Contributor

Re: WSL2 network connection breaks with Pulse Secure VPN

Yes, probably the configuration is Full Tunnel, because some sites are restricted while I'm connected to the VPN. Is there any way to share with you my Pulse Secure client configuration?

 

Regarding the limitation of local subnets, I'm not sure that is the case. When connected to the VPN, my Docker containers can still reach other domains (both corporate and external). See the example below. Note that "Docker for Windows" is using WSL2 under-the-hood.

 

ut06609@ES28P01315583T1:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.1 LTS
Release:        20.04
Codename:       focal
ut06609@ES28P01315583T1:~$ ping www.google.com
ping: www.google.com: Temporary failure in name resolution
ut06609@ES28P01315583T1:~$ ping kibana.es.telefonica
ping: kibana.es.telefonica: Temporary failure in name resolution
ut06609@ES28P01315583T1:~$ docker run -it --rm busybox /bin/sh
/ # ping www.google.com
PING www.google.com (216.58.211.36): 56 data bytes
64 bytes from 216.58.211.36: seq=0 ttl=37 time=16.116 ms
64 bytes from 216.58.211.36: seq=1 ttl=37 time=19.486 ms
^C
--- www.google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 16.116/17.801/19.486 ms
/ # ping kibana.es.telefonica
PING kibana.es.telefonica (10.148.136.56): 56 data bytes
64 bytes from 10.148.136.56: seq=0 ttl=37 time=23.034 ms
64 bytes from 10.148.136.56: seq=1 ttl=37 time=28.450 ms
^C
--- kibana.es.telefonica ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 23.034/25.742/28.450 ms

Apparently, it's quite common to have connectivity issues with WSL2 and VPN. However, all the workarounds I have found are for other products, such as Citrix or Cisco AnyConnect. For example: https://github.com/microsoft/WSL/issues/5764

 

I have tried out many workarounds, but none of them seem to work.

Frequent Contributor

Re: WSL2 network connection breaks with Pulse Secure VPN

Thanks for the reply.  I failed to answer your previous question.  Pulse has not qualifed or test WSL2 Linux...so I don't know if the client will work as expected.

 

The client config won't really tell me much as the config is sent dynamically from the server side everytime you connect.  Things like what networks are allowed and not allowed, traffic enforcement, etc. We'd need to see the debug logs from the client side to get an understanding of what is going on.

 

Also, are you using the Windows Pulse Client or the Linux client to connect?  Should have asked that at the start.  If you are running the Windows Client, you can open the client, go to the File menu, select Connections and then select Advanced Connection Details.  This will pop up a window and will show you the tunnel configuration for your active connections.  Are there any networks that overlap with your local nets?

 

Thanks,

 

Craig

New Contributor

Re: WSL2 network connection breaks with Pulse Secure VPN

Thanks for the reply. I'm using Windows Pulse Client (9.1). My connection detais are:

 

 

Tiempo restante de la sesión:  7h 58m 12s  
 Duración de la sesión:  1m 48s  
 Tipo de túnel:  VPN  
 Tipo de VPN:  ESP  
 IPV4 asignada::  10.57.181.148  
 Bytes recibidos:  347713  
 Bytes enviados:  198792  
 Origen de conexión:  Añadido por el usuario 

Regarding WSL2 Linux compatibility with Windows Pulse Secure client, is the feature expected at some point? Could you consider to enhance it?

 

 

It seems that there is already some support for "Linux on Windows", as stated in the release notes of version 9.1.5:

https://www-prev.pulsesecure.net/download/techpubs/current/2197/pulse-client/pulse-secure-client-des... 

 

Pulse Linux Client on Windows now supports Fedora 30, Ubuntu 19.10 and Debian 10
platforms

However, that is quite the opposite of my setup. I'd need Pulse Windows Client support for WSL2 distributions (Ubuntu, etc.). To sum up, both my local workstation (Windows PC) and local virtual machines (WSL2 distributions) should be capable of connecting to the corporate network through the VPN.

 

 

 

 

Visitor

Re: WSL2 network connection breaks with Pulse Secure VPN

I am being hit by what appears to be a similar (possibly same) issue related to network connectivity from Ubuntu 20.04 running via WSL2 on Windows 10 (19042.630).

Any chance that you'll be looking at supporting connectivity from WSL2? It's a part of Windows experience now, and quite a few people seem to be stuck in a similar rut (example: https://github.com/microsoft/WSL/issues/5068).

Cheers

New Contributor

Re: WSL2 network connection breaks with Pulse Secure VPN

Do we have an update here? Is there a solution?

 

New Contributor

Re: WSL2 network connection breaks with Pulse Secure VPN

It worked for me after adding the Pulse DNS servers from Windows and DNS Suffix to /etc/resolv.conf inside WSL2

It looks like below now

```
# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateResolvConf = false
search internal.*.com
nameserver **.***.*.*
nameserver **.***.*.*
nameserver ***.**.***.***
```

The *s above are wildcards

Also, you have to edit the /etc/wsl.conf as mentioned in the comments above. Else /etc/resolv.conf will be overwritten

I think I have to refresh the addresses above when those DNS servers change

New Contributor

Re: WSL2 network connection breaks with Pulse Secure VPN

 
New Contributor

Re: WSL2 network connection breaks with Pulse Secure VPN

Hello,

 

I try all the solution from here dans from here https://github.com/microsoft/WSL/issues/5068

But no internet connection...

Help ...Heart

 

Thx