Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sharing drive throws firewall block error with windows native docker when cisco anyconnect VPN is ON #360

Closed
sugun999 opened this issue Dec 28, 2016 · 64 comments

Comments

@sugun999
Copy link

@sugun999 sugun999 commented Dec 28, 2016

Expected Behaviour:

Filesharing should work even corporate cisco anyconnect VPN is ON

Actual behaviour:

Sharing drive C fails by throwing firewall block detected error

Information:

Installed native docker on windows 10 enterprise version 10.0.14393
Also, F-secure is installed on my laptop and opened necessary network firewall openings with f-secure (to allow all traffic between 10.0.75.1 & 10.0.75.2)
Everything works fine as long as the corporate cisco anyconnect VPN is NOT ON.

But as soon as corporate cisco anyconnect vpn is ON, sharing drive C fails by throwing firewall detected error.

As you know, when switching to corporate cisco anyconnect vpn, routing tables gets modified and it looks that filesharing is not working.

Is there any hack for this issue?

@johnrb2
Copy link

@johnrb2 johnrb2 commented Dec 28, 2016

I have the same problem.

When I run "docker run --rm -v c:/Users:/data alpine ls /data" while Cisco AnyConnect Secure Mobility Client Version 4.3.02039 is logged in. I get this back.

C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Error response from daemon: mkdir /c: file exists.

Diag ID: 8CFF8C5F-5384-42B5-BDB0-704D32546F3D/2016-12-29_12-09-25

@stuft2
Copy link

@stuft2 stuft2 commented Dec 28, 2016

Me too.

@simonferquel
Copy link

@simonferquel simonferquel commented Jan 2, 2017

Hi, which version of Docker for Windows are you using ? can you try latest beta ?

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 3, 2017

Hi Simonferquel,

Thanks for the reply. I tried with both stable channel (1.12.5) & beta channel (1.13.0-rc4) and the end result is the same error which is "Firewall blocking file sharing between windows and the container. See documentation for more info"

Please note that all "file and printer sharing" inbound rules of windows firewall settings are enabled for private, public and domain profiles on my laptop.
And also, windows firewall is turned off for all private, public and domain profiles.

Please help us troubleshooting this issue.

@johnrb2
Copy link

@johnrb2 johnrb2 commented Jan 3, 2017

Okay so what I have found out from Glen Sawyer that the vpn doesn't like the IP using 10.0.75.1 most likely because it is used by the business already.

You need to change the network to 192.168.X.X

[NOTE: You may need to play around with the number so it doesn't interfere with your home network]

untitled

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 4, 2017

Hi,

Thanks for the info. Instead of trying all the numbers (1-254) for IP part, is there any specific rule/criteria in choosing the number, so that it works?

@johnrb2
Copy link

@johnrb2 johnrb2 commented Jan 4, 2017

You just don't want it to be one that is already in use by something else.

My friend says he doesn't use 192.168.1.X for his because it is used for his network devices at home.

http://trendblog.net/ever-wondered-use-192-168-x-x-ip-addresses-home/

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 5, 2017

Hi,

I tried with several free network IPs but still docker throws same error when trying to share C drive.

@johnrb2
Copy link

@johnrb2 johnrb2 commented Jan 5, 2017

I had to get a computer with an operating system that was the full version of Windows 10 Pro instead of the companies modified version of Windows 10 and my computer had to be off the company's domain. It could be an issue with that. I am not an official docker worker. But I would suggest trying docker for windows beta and see if it fixes it and uploading a diagnostic file and copy and sharing the reference with your issue.

@friism
Copy link

@friism friism commented Jan 5, 2017

@johnrb2 thanks for following up - it'd be very useful for us to learn what exactly blocked Docker on a normally configured machine.

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 12, 2017

Hi Docker team,
Any workaround to get sharing drive works even with cisco anyconnect vpn?

@friism
Copy link

@friism friism commented Jan 12, 2017

@sugun999 if possible, can you upload a diagnostic dump from the app and post the id here?

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 12, 2017

Hi friism,

Thanks for the reply. Before sending dump, Could you please let me know, what diagnostic report contains?
Will the docker collects any security info?

@friism
Copy link

@friism friism commented Jan 12, 2017

@sugun999 the diagnostic dump is pretty comprehensive to help us fully debug problems on user systems. Access to the dumps is limited to engineers working on Docker for Mac and Windows, and we handle the dumps with care.

If you're not comfortable using the diagnostic feature, please access the logs after encountering this problem, remove any sensitive info and paste the relevant log snippet in this issue.

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 13, 2017

HI Friism,

Below is log excerpt which is logged when trying to share drive C.
Please note that F-secure software with my laptop, is not blocking anything. I added rule to allow all traffic from any IPv4 which is working without VPN.

Could you please take a look at this and provide solution for this issue why filesharing doesn't work with VPN?

log_excerpt.txt

@simonferquel
Copy link

@simonferquel simonferquel commented Jan 13, 2017

From the log, I see that you changed the IP settings of the VM (it says your host has IP 192.168.230.1, so your VM should have 192.168.230.2).
From the following lines, I see that the VM cannot reach port 445 on 192.168.230.1. By any chance, can you make sure that the IP settings you chose do not conflict with the VPN connection IP ? (or just dump your ipconfig /all here)

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 13, 2017

Hi Simonferquel,

Before or after opening VPN, I do see that "Ethernet adapter vEthernet (DockerNAT) 2" has

IPv4 Address. . . . . . . . . . . : 192.168.230.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0

Ofcourse there is new virtual adapter gets created with VPN is ON and it gets own IPv4 address 141.19x.xxx.xxx which is not conflicting with above docker Ethernet adapter IP address.

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 17, 2017

Hi,

Any ideas?

@simonferquel
Copy link

@simonferquel simonferquel commented Jan 19, 2017

Unfortunately no. It seems that Cisco AnyConnect include some kind of firewall blocking port 445. We'll need to investigate more thoroughly, but we need the proper Cisco infrastructure to test it.

@stuft2
Copy link

@stuft2 stuft2 commented Jan 20, 2017

I did what @johnrb2 did and it worked just fine for me. I don't think Cicso anyConnect has to block port 445 to work properly. If it did, then it wouldn't be working for me or johnrb2.

@sugun999
Copy link
Author

@sugun999 sugun999 commented Jan 23, 2017

Hi SpencerTuft,

Could you please let me know, what is subnet address/mask you tried?

@stuft2
Copy link

@stuft2 stuft2 commented Jan 23, 2017

@sugun999,
You may have an issue with your vpn settings and not the subnet addresses.

@sugun999
Copy link
Author

@sugun999 sugun999 commented Feb 15, 2017

Yes, I understood that it is specific our vpn. Hence closing this

@rn
Copy link
Contributor

@rn rn commented Feb 15, 2017

@sugun999 We obviously would like to work in environments with VPNs etc but unfortunately we have very little control over the VPN settings. We are looking into other options for filesharing which do not required the current network based setup but have not found a suitable replacement yet.

@libsamek
Copy link

@libsamek libsamek commented Mar 8, 2017

Thanks for this issue! It made me realize, that's it a routing problem. VPN clients usually add static routes, for example 10.0.0.0/8. That was routed to our corp network.

I solved the issue by using address space, which isn't used in our corp network, for example something from 172.16.0.0 - 172.31.255.255.

So for anyone experiencing same problems, check your routing tables first and than do the correct addressing based on that :)

@jrbecart
Copy link

@jrbecart jrbecart commented Nov 28, 2018

Solution that works for my case are (from previous suggestions):

  • Ask for example this list of ip to be added in non-secured routes in the cisco anyconnect profile:
    127.0.0.0/8
    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

  • Use OpenConnect

@los93sol
Copy link

@los93sol los93sol commented Feb 28, 2019

Bump, please consider changing the way this works so that it works for those of us in these scenarios

@bdwyertech
Copy link

@bdwyertech bdwyertech commented Mar 1, 2019

If there was a way to override the destination address for SMB protocol from the Docker daemon, it would likely get around the secured route issue. You'd set it to the Cisco virtual adapters IP address and all the woes would likely go away as the restrictions apply to local IP's. AnyConnect babysits the local routing table metrics and makes sure everything flows out the virtual adapter, hence if the SMB destination was the AnyConnect adapter IP address, SMB would work.

@los93sol
Copy link

@los93sol los93sol commented Mar 1, 2019

Interesting...similar to others mine secures 0.0.0.0/0 and when looking at the routing tables I can see it literally overrides everything. Can you explain a bit more or point me to some documentation how routing SMB from Docker to AnyConnects virtual address would work in that scenario? I’m interested to stage some tests while running a pcap to better understand.

@bdwyertech
Copy link

@bdwyertech bdwyertech commented Mar 1, 2019

I don't have any documentation to point to, however I use this method when working remotely to allow certain tools to work... Take Packer as an example, it throws up a web server to serve up kickstart files. I noticed it didn't work when allowing Packer to choose the IP (typically my WiFi adapter), however inserting my Cisco AnyConnect adapters IP address in there made it work fine. I've also used this previously with Vagrant on VMware, which uses NFS/SMB for file sharing.

If you think about it, the network restrictions force everything out of that interface; its a catch all route with the best metric. Being that your laptop has an IP on the forced egress interface, if you bind all, e.g. bind to 0.0.0.0, then you're also listening on that interface and can communicate properly on it. With AnyConnect enabled, you've either got to use its IP or 127.0.0.1, and localhost is not routable so that leaves only a single option...

@julianiacoponi
Copy link

@julianiacoponi julianiacoponi commented Mar 29, 2019

Please can this be re-opened and addressed :) or at least figure some other way of running docker natively on windows with mounted volumes, whilst behind Cisco AnyConnect.

@kamkie
Copy link

@kamkie kamkie commented Mar 29, 2019

there is new version of Cisco AnyConnect 4.7 (it is using windows vpn infrastructure) in windows store, i will test that this weekend

@j0rdiun
Copy link

@j0rdiun j0rdiun commented Mar 30, 2019

I have a suggested 'fix' for this please follow instructions below:-

  • Within your docker settings uncheck "Start docker desktop when you log in"
  • Restart Machine
  • Now that machine is restarted open settings in Cisco anyconnect
  • Go to networks and then in the top right where all your network connections are listed click the arrow pointing to the right (Sorry i don't have screen shots) this should show a drop down with enable and disable click disable
  • Now start docker
  • Docker should now start and run the daemon this time.
  • Now spin up your container
  • Go back in to your Cisco any connect settings and enable the networking again
  • Your container should stay open and you should be able to access the ports all fine

All in all the issue i believe happens is the cisco anyconnect VPN controls all network adapters and docker cant own one so by briefly disabling the VPN to allow docker daemon to establish a connection this should fix your issues running docker along side the VPN this step has to be reproduced ever restart!

@kamkie
Copy link

@kamkie kamkie commented Mar 31, 2019

https://www.microsoft.com/en-us/p/anyconnect/9wzdncrdj8lh
using this version of Cisco AnyConnect i can use volumes when connected to VPN

@julianiacoponi
Copy link

@julianiacoponi julianiacoponi commented Mar 31, 2019

Thanks! I unfortunately use a non-microsoft store copy of AnyConnect and cannot find how to update my version from 4.6.03049 to 4.7+ ... any advice on how to do this appreciated! (Although I myself appreciate this is not relevant to this bug).

In the meantime, @Jordaanwatson I will try your method. However,I don't seem to have a "Networks" section in my AnyConnect settings?
image

@j0rdiun
Copy link

@j0rdiun j0rdiun commented Mar 31, 2019

@julianiacoponi Your version is very close to the one i use if im not at my work machine at the moment but if you can find there it lists your networks or even just find where you can disable the VPN and re enable once you have docker started and a container running. Let me know how you get on!

@jeffjwills
Copy link

@jeffjwills jeffjwills commented May 2, 2019

I also have this issue, I normally just kill Cisco to get around it but I can’t always do that. This issue is preventing me from recommending Docker to my organisation which is a shame.

Tried the Windows Store version of AnyConnect (4.7+) makes no difference for me.

Tried Jordaanwatson’s solution to disable Cisco, start a Docker VM, then enable Cisco but this doesn’t work for me.

I am going to try getting some IP ranges added to the non-secured routes.

I am also going to try OpenConnect to see if it works but this is not a solution I can let anyone else use as AnyConnect is Corporate Policy.

Fingers crossed enough people have this issue and a new version of Docker will have a workaround!

@asinoai
Copy link

@asinoai asinoai commented May 7, 2019

Had the same problem; to solve it, I switched to OpenConnect (https://github.com/openconnect/openconnect-gui/releases/tag/v1.5.3) as mentioned already, but also had to add to the docker deamon's config file the following: "bip" : "192.168.1.5/24", because the default was clashing with existing IPs (https://docs.docker.com/v17.09/engine/userguide/networking/default_network/custom-docker0/)

@brianwthomas
Copy link

@brianwthomas brianwthomas commented May 15, 2019

Would love a solution for this. I can't get this running in my corp environment either with VPN running

@var23rav
Copy link

@var23rav var23rav commented May 27, 2019

As @johnrb2 says the best way is to change the docker network.

When you do Folder sharing(volume mount) with wsl, you may face issue if there is any vpn connection enabled.

Solution, If you are using Cisco Any-connect,

  • Allow Local Connection from Preferences
  • Or, If you don't have the permission to allow Local Connection or You couldn't see this option
    try Change Docker Network to match any non secure routes of cisco any-connect to avoid this blocking

Network ranges can be found in
Cisco AnyConnects -> click on the settings(gear icon) -> Route Details -> Non-Secure Routes

Update Docker -> Settings -> Network -> Subnet addres and Subnet Mask to match non-secure routes from cisco any-connect

And restart the docker, if required rebuild the image.

image

@brianwthomas
Copy link

@brianwthomas brianwthomas commented May 28, 2019

If only it were that easy :(

I've cycled through about every network I can think of (192/172/1.1.1.0, etc...) All results in not being able to access the shared drive. Once off Anyconnect, it works fine.

Example error: docker.errors.APIError: 500 Server Error: Internal Server Error ("b'Drive sharing seems blocked by a firewall'")

Once I'm off Anyconnect I can hit the share drive just fine

@bartlomiejcieszkowski
Copy link

@bartlomiejcieszkowski bartlomiejcieszkowski commented May 28, 2019

@brianwthomas i've stumbled on this issue and unfortunately i wasn't able to do anything about this, but this is due to the cisco anyconnect having too aggresive routing.

As I was using the container to get compilation environment, I recall that i've had some success with it while being still off from vpn starting a container in interactive mode and then connecting to a vpn.. but my memory is a bit fuzzy there..

I've had also the same issue with a combo of VirtualBox + AnyConnect - once the vpn is on, the ping and ssh to a machine was impossible.

Also I tried some route mangling back then with no success, but this looks like a good direction to workaround the issue - see for reference:
https://forums.virtualbox.org/viewtopic.php?f=8&t=62403

@ericis
Copy link

@ericis ericis commented Oct 18, 2019

@var23rav

Network ranges can be found in
Cisco AnyConnects -> click on the settings(gear icon) -> Route Details -> Non-Secure Routes

We don't see "Non-Secure Routes", only "Secured Routes (IPv4) - 0.0.0.0/0"

docker-shared-drives

@Jay1305
Copy link

@Jay1305 Jay1305 commented Nov 7, 2019

Wow realized that the issue was created in the year 2016! I am still experiencing the issue when connected to Cisco VPN. As others pointed, I do see only secured routes with 0.0.0.0/0. Could there be any hack for us from docker side? I followed troubleshooting steps from - https://success.docker.com/article/error-a-firewall-is-blocking-file-sharing-between-windows-and-the-containers and still experience the same issue. Yes, we all know when we stop VPN, it works and when we start VPN, it stops working, so it would be some issue at VPN side. But can some master from Docker please help us? Thanks in advance.

@kumarjoshi
Copy link

@kumarjoshi kumarjoshi commented Dec 23, 2019

I tried everything listed here and on https://stackoverflow.com/questions/42203488/settings-to-windows-firewall-to-allow-docker-for-windows-to-share-drive/47975648

Nothing worked for me.

I run my dev environment on a docker container, and while on Corporate VPN (Cisco AnyConnect), I need the to mount my local drive on the container to access my project files.

Here's a docker hack that worked for me: Add --publish 8000:8000 to your existing docker run command

So
docker run -v C:/Users/kumar.joshi/KumarData:/mnt --name dev <image:latest>

will become
docker run -v C:/Users/kumar.joshi/KumarData:/mnt --name dev --publish 8000:8000 <image:latest>

Make sure the port is not used else you will get this error:
Bind for 0.0.0.0:8000 failed: port is already allocated

@mat007
Copy link
Member

@mat007 mat007 commented Dec 23, 2019

@kumarjoshi have you tried the latest edge version? We have completely rewritten how drive sharing works so that will likely fix your issue.

@bartlomiejcieszkowski
Copy link

@bartlomiejcieszkowski bartlomiejcieszkowski commented Dec 23, 2019

@mat007 how does the new sharing work? Did you guys change anything related to samba mount? As there was problem with using mounted shares under windows/mac and forcing to 64bit inode - making it impossible to do thibgs with 32bit software - making docker not feasible solution under windows when i tried to deploy it

@mat007
Copy link
Member

@mat007 mat007 commented Dec 24, 2019

We have replaced Samba with a FUSE based implementation, there is no Samba anymore.
I suggest you give it a try and open fresh issues if needed.

@chrisps-dev
Copy link

@chrisps-dev chrisps-dev commented Jan 28, 2020

I managed to get around the issue by setting my docker windows subnet address to 192.0.2.0, this was in the route details section of my cisco anyconnect settings under a subheading Non-secured Routes (IPV4), may be helpful to some, may not.

@ZhuBicen
Copy link

@ZhuBicen ZhuBicen commented Feb 2, 2020

@mtarjanyi
Copy link

@mtarjanyi mtarjanyi commented Mar 12, 2020

I didn't see this solution mentioned anywhere but a colleague offered the following settings change to overcome this issue:
image

It seemingly works fine.

@docker-desktop-robot
Copy link
Collaborator

@docker-desktop-robot docker-desktop-robot commented Jun 19, 2020

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked

@docker docker locked and limited conversation to collaborators Jun 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests