sharing drive throws firewall block error with windows native docker when cisco anyconnect VPN is ON #360
Comments
|
I have the same problem. When I run "docker run --rm -v c:/Users:/data alpine ls /data" while Cisco AnyConnect Secure Mobility Client Version 4.3.02039 is logged in. I get this back. C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Error response from daemon: mkdir /c: file exists. Diag ID: 8CFF8C5F-5384-42B5-BDB0-704D32546F3D/2016-12-29_12-09-25 |
|
Me too. |
|
Hi, which version of Docker for Windows are you using ? can you try latest beta ? |
|
Hi Simonferquel, Thanks for the reply. I tried with both stable channel (1.12.5) & beta channel (1.13.0-rc4) and the end result is the same error which is "Firewall blocking file sharing between windows and the container. See documentation for more info" Please note that all "file and printer sharing" inbound rules of windows firewall settings are enabled for private, public and domain profiles on my laptop. Please help us troubleshooting this issue. |
|
Okay so what I have found out from Glen Sawyer that the vpn doesn't like the IP using 10.0.75.1 most likely because it is used by the business already. You need to change the network to 192.168.X.X [NOTE: You may need to play around with the number so it doesn't interfere with your home network]
|
|
Hi, Thanks for the info. Instead of trying all the numbers (1-254) for IP part, is there any specific rule/criteria in choosing the number, so that it works? |
|
You just don't want it to be one that is already in use by something else. My friend says he doesn't use 192.168.1.X for his because it is used for his network devices at home. http://trendblog.net/ever-wondered-use-192-168-x-x-ip-addresses-home/ |
|
Hi, I tried with several free network IPs but still docker throws same error when trying to share C drive. |
|
I had to get a computer with an operating system that was the full version of Windows 10 Pro instead of the companies modified version of Windows 10 and my computer had to be off the company's domain. It could be an issue with that. I am not an official docker worker. But I would suggest trying docker for windows beta and see if it fixes it and uploading a diagnostic file and copy and sharing the reference with your issue. |
|
@johnrb2 thanks for following up - it'd be very useful for us to learn what exactly blocked Docker on a normally configured machine. |
|
Hi Docker team, |
|
@sugun999 if possible, can you upload a diagnostic dump from the app and post the id here? |
|
Hi friism, Thanks for the reply. Before sending dump, Could you please let me know, what diagnostic report contains? |
|
@sugun999 the diagnostic dump is pretty comprehensive to help us fully debug problems on user systems. Access to the dumps is limited to engineers working on Docker for Mac and Windows, and we handle the dumps with care. If you're not comfortable using the diagnostic feature, please access the logs after encountering this problem, remove any sensitive info and paste the relevant log snippet in this issue. |
|
HI Friism, Below is log excerpt which is logged when trying to share drive C. Could you please take a look at this and provide solution for this issue why filesharing doesn't work with VPN? |
|
From the log, I see that you changed the IP settings of the VM (it says your host has IP 192.168.230.1, so your VM should have 192.168.230.2). |
|
Hi Simonferquel, Before or after opening VPN, I do see that "Ethernet adapter vEthernet (DockerNAT) 2" has IPv4 Address. . . . . . . . . . . : 192.168.230.1(Preferred) Ofcourse there is new virtual adapter gets created with VPN is ON and it gets own IPv4 address 141.19x.xxx.xxx which is not conflicting with above docker Ethernet adapter IP address. |
|
Hi, Any ideas? |
|
Unfortunately no. It seems that Cisco AnyConnect include some kind of firewall blocking port 445. We'll need to investigate more thoroughly, but we need the proper Cisco infrastructure to test it. |
|
I did what @johnrb2 did and it worked just fine for me. I don't think Cicso anyConnect has to block port 445 to work properly. If it did, then it wouldn't be working for me or johnrb2. |
|
Hi SpencerTuft, Could you please let me know, what is subnet address/mask you tried? |
|
@sugun999, |
|
Yes, I understood that it is specific our vpn. Hence closing this |
|
@sugun999 We obviously would like to work in environments with VPNs etc but unfortunately we have very little control over the VPN settings. We are looking into other options for filesharing which do not required the current network based setup but have not found a suitable replacement yet. |
|
Thanks for this issue! It made me realize, that's it a routing problem. VPN clients usually add static routes, for example 10.0.0.0/8. That was routed to our corp network. I solved the issue by using address space, which isn't used in our corp network, for example something from 172.16.0.0 - 172.31.255.255. So for anyone experiencing same problems, check your routing tables first and than do the correct addressing based on that :) |
|
Solution that works for my case are (from previous suggestions):
|
|
Bump, please consider changing the way this works so that it works for those of us in these scenarios |
|
If there was a way to override the destination address for SMB protocol from the Docker daemon, it would likely get around the secured route issue. You'd set it to the Cisco virtual adapters IP address and all the woes would likely go away as the restrictions apply to local IP's. AnyConnect babysits the local routing table metrics and makes sure everything flows out the virtual adapter, hence if the SMB destination was the AnyConnect adapter IP address, SMB would work. |
|
Interesting...similar to others mine secures 0.0.0.0/0 and when looking at the routing tables I can see it literally overrides everything. Can you explain a bit more or point me to some documentation how routing SMB from Docker to AnyConnects virtual address would work in that scenario? I’m interested to stage some tests while running a pcap to better understand. |
|
I don't have any documentation to point to, however I use this method when working remotely to allow certain tools to work... Take Packer as an example, it throws up a web server to serve up kickstart files. I noticed it didn't work when allowing Packer to choose the IP (typically my WiFi adapter), however inserting my Cisco AnyConnect adapters IP address in there made it work fine. I've also used this previously with Vagrant on VMware, which uses NFS/SMB for file sharing. If you think about it, the network restrictions force everything out of that interface; its a catch all route with the best metric. Being that your laptop has an IP on the forced egress interface, if you bind all, e.g. bind to 0.0.0.0, then you're also listening on that interface and can communicate properly on it. With AnyConnect enabled, you've either got to use its IP or 127.0.0.1, and localhost is not routable so that leaves only a single option... |
|
Please can this be re-opened and addressed :) or at least figure some other way of running docker natively on windows with mounted volumes, whilst behind Cisco AnyConnect. |
|
there is new version of Cisco AnyConnect 4.7 (it is using windows vpn infrastructure) in windows store, i will test that this weekend |
|
I have a suggested 'fix' for this please follow instructions below:-
All in all the issue i believe happens is the cisco anyconnect VPN controls all network adapters and docker cant own one so by briefly disabling the VPN to allow docker daemon to establish a connection this should fix your issues running docker along side the VPN this step has to be reproduced ever restart! |
|
https://www.microsoft.com/en-us/p/anyconnect/9wzdncrdj8lh |
|
Thanks! I unfortunately use a non-microsoft store copy of AnyConnect and cannot find how to update my version from 4.6.03049 to 4.7+ ... any advice on how to do this appreciated! (Although I myself appreciate this is not relevant to this bug). In the meantime, @Jordaanwatson I will try your method. However,I don't seem to have a "Networks" section in my AnyConnect settings? |
|
@julianiacoponi Your version is very close to the one i use if im not at my work machine at the moment but if you can find there it lists your networks or even just find where you can disable the VPN and re enable once you have docker started and a container running. Let me know how you get on! |
|
I also have this issue, I normally just kill Cisco to get around it but I can’t always do that. This issue is preventing me from recommending Docker to my organisation which is a shame. Tried the Windows Store version of AnyConnect (4.7+) makes no difference for me. Tried Jordaanwatson’s solution to disable Cisco, start a Docker VM, then enable Cisco but this doesn’t work for me. I am going to try getting some IP ranges added to the non-secured routes. I am also going to try OpenConnect to see if it works but this is not a solution I can let anyone else use as AnyConnect is Corporate Policy. Fingers crossed enough people have this issue and a new version of Docker will have a workaround! |
|
Had the same problem; to solve it, I switched to OpenConnect (https://github.com/openconnect/openconnect-gui/releases/tag/v1.5.3) as mentioned already, but also had to add to the docker deamon's config file the following: "bip" : "192.168.1.5/24", because the default was clashing with existing IPs (https://docs.docker.com/v17.09/engine/userguide/networking/default_network/custom-docker0/) |
|
Would love a solution for this. I can't get this running in my corp environment either with VPN running |
|
As @johnrb2 says the best way is to change the docker network. When you do Folder sharing(volume mount) with wsl, you may face issue if there is any vpn connection enabled. Solution, If you are using Cisco Any-connect,
Network ranges can be found in Update Docker -> Settings -> Network -> Subnet addres and Subnet Mask to match non-secure routes from cisco any-connect And restart the docker, if required rebuild the image.
|
|
If only it were that easy :( I've cycled through about every network I can think of (192/172/1.1.1.0, etc...) All results in not being able to access the shared drive. Once off Anyconnect, it works fine. Example error: docker.errors.APIError: 500 Server Error: Internal Server Error ("b'Drive sharing seems blocked by a firewall'") Once I'm off Anyconnect I can hit the share drive just fine |
|
@brianwthomas i've stumbled on this issue and unfortunately i wasn't able to do anything about this, but this is due to the cisco anyconnect having too aggresive routing. As I was using the container to get compilation environment, I recall that i've had some success with it while being still off from vpn starting a container in interactive mode and then connecting to a vpn.. but my memory is a bit fuzzy there.. I've had also the same issue with a combo of VirtualBox + AnyConnect - once the vpn is on, the ping and ssh to a machine was impossible. Also I tried some route mangling back then with no success, but this looks like a good direction to workaround the issue - see for reference: |
We don't see "Non-Secure Routes", only "Secured Routes (IPv4) - 0.0.0.0/0"
|
|
Wow realized that the issue was created in the year 2016! I am still experiencing the issue when connected to Cisco VPN. As others pointed, I do see only secured routes with 0.0.0.0/0. Could there be any hack for us from docker side? I followed troubleshooting steps from - https://success.docker.com/article/error-a-firewall-is-blocking-file-sharing-between-windows-and-the-containers and still experience the same issue. Yes, we all know when we stop VPN, it works and when we start VPN, it stops working, so it would be some issue at VPN side. But can some master from Docker please help us? Thanks in advance. |
|
I tried everything listed here and on https://stackoverflow.com/questions/42203488/settings-to-windows-firewall-to-allow-docker-for-windows-to-share-drive/47975648 Nothing worked for me. I run my dev environment on a docker container, and while on Corporate VPN (Cisco AnyConnect), I need the to mount my local drive on the container to access my project files. Here's a docker hack that worked for me: Add So will become Make sure the port is not used else you will get this error: |
|
@kumarjoshi have you tried the latest edge version? We have completely rewritten how drive sharing works so that will likely fix your issue. |
|
@mat007 how does the new sharing work? Did you guys change anything related to samba mount? As there was problem with using mounted shares under windows/mac and forcing to 64bit inode - making it impossible to do thibgs with 32bit software - making docker not feasible solution under windows when i tried to deploy it |
|
We have replaced Samba with a FUSE based implementation, there is no Samba anymore. |
|
I managed to get around the issue by setting my docker windows subnet address to 192.0.2.0, this was in the route details section of my cisco anyconnect settings under a subheading Non-secured Routes (IPV4), may be helpful to some, may not. |
|
Please try the new version which use FUSE not SMB |
|
I didn't see this solution mentioned anywhere but a colleague offered the following settings change to overcome this issue: It seemingly works fine. |
|
Closed issues are locked after 30 days of inactivity. If you have found a problem that seems similar to this, please open a new issue. Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. |
and others
Expected Behaviour:
Filesharing should work even corporate cisco anyconnect VPN is ON
Actual behaviour:
Sharing drive C fails by throwing firewall block detected error
Information:
Installed native docker on windows 10 enterprise version 10.0.14393
Also, F-secure is installed on my laptop and opened necessary network firewall openings with f-secure (to allow all traffic between 10.0.75.1 & 10.0.75.2)
Everything works fine as long as the corporate cisco anyconnect VPN is NOT ON.
But as soon as corporate cisco anyconnect vpn is ON, sharing drive C fails by throwing firewall detected error.
As you know, when switching to corporate cisco anyconnect vpn, routing tables gets modified and it looks that filesharing is not working.
Is there any hack for this issue?
The text was updated successfully, but these errors were encountered: