Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sharing drive throws firewall block error with windows native docker when cisco anyconnect VPN is ON #360

Closed
sugun999 opened this issue Dec 28, 2016 · 61 comments

Comments

@sugun999
Copy link

@sugun999 sugun999 commented Dec 28, 2016

Expected Behaviour:

Filesharing should work even corporate cisco anyconnect VPN is ON

Actual behaviour:

Sharing drive C fails by throwing firewall block detected error

Information:

Installed native docker on windows 10 enterprise version 10.0.14393
Also, F-secure is installed on my laptop and opened necessary network firewall openings with f-secure (to allow all traffic between 10.0.75.1 & 10.0.75.2)
Everything works fine as long as the corporate cisco anyconnect VPN is NOT ON.

But as soon as corporate cisco anyconnect vpn is ON, sharing drive C fails by throwing firewall detected error.

As you know, when switching to corporate cisco anyconnect vpn, routing tables gets modified and it looks that filesharing is not working.

Is there any hack for this issue?

@johnrb2

This comment has been minimized.

Copy link

@johnrb2 johnrb2 commented Dec 28, 2016

I have the same problem.

When I run "docker run --rm -v c:/Users:/data alpine ls /data" while Cisco AnyConnect Secure Mobility Client Version 4.3.02039 is logged in. I get this back.

C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Error response from daemon: mkdir /c: file exists.

Diag ID: 8CFF8C5F-5384-42B5-BDB0-704D32546F3D/2016-12-29_12-09-25

@stuft2

This comment has been minimized.

Copy link

@stuft2 stuft2 commented Dec 28, 2016

Me too.

@simonferquel

This comment has been minimized.

Copy link

@simonferquel simonferquel commented Jan 2, 2017

Hi, which version of Docker for Windows are you using ? can you try latest beta ?

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 3, 2017

Hi Simonferquel,

Thanks for the reply. I tried with both stable channel (1.12.5) & beta channel (1.13.0-rc4) and the end result is the same error which is "Firewall blocking file sharing between windows and the container. See documentation for more info"

Please note that all "file and printer sharing" inbound rules of windows firewall settings are enabled for private, public and domain profiles on my laptop.
And also, windows firewall is turned off for all private, public and domain profiles.

Please help us troubleshooting this issue.

@johnrb2

This comment has been minimized.

Copy link

@johnrb2 johnrb2 commented Jan 3, 2017

Okay so what I have found out from Glen Sawyer that the vpn doesn't like the IP using 10.0.75.1 most likely because it is used by the business already.

You need to change the network to 192.168.X.X

[NOTE: You may need to play around with the number so it doesn't interfere with your home network]

untitled

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 4, 2017

Hi,

Thanks for the info. Instead of trying all the numbers (1-254) for IP part, is there any specific rule/criteria in choosing the number, so that it works?

@johnrb2

This comment has been minimized.

Copy link

@johnrb2 johnrb2 commented Jan 4, 2017

You just don't want it to be one that is already in use by something else.

My friend says he doesn't use 192.168.1.X for his because it is used for his network devices at home.

http://trendblog.net/ever-wondered-use-192-168-x-x-ip-addresses-home/

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 5, 2017

Hi,

I tried with several free network IPs but still docker throws same error when trying to share C drive.

@johnrb2

This comment has been minimized.

Copy link

@johnrb2 johnrb2 commented Jan 5, 2017

I had to get a computer with an operating system that was the full version of Windows 10 Pro instead of the companies modified version of Windows 10 and my computer had to be off the company's domain. It could be an issue with that. I am not an official docker worker. But I would suggest trying docker for windows beta and see if it fixes it and uploading a diagnostic file and copy and sharing the reference with your issue.

@friism

This comment has been minimized.

Copy link

@friism friism commented Jan 5, 2017

@johnrb2 thanks for following up - it'd be very useful for us to learn what exactly blocked Docker on a normally configured machine.

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 12, 2017

Hi Docker team,
Any workaround to get sharing drive works even with cisco anyconnect vpn?

@friism

This comment has been minimized.

Copy link

@friism friism commented Jan 12, 2017

@sugun999 if possible, can you upload a diagnostic dump from the app and post the id here?

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 12, 2017

Hi friism,

Thanks for the reply. Before sending dump, Could you please let me know, what diagnostic report contains?
Will the docker collects any security info?

@friism

This comment has been minimized.

Copy link

@friism friism commented Jan 12, 2017

@sugun999 the diagnostic dump is pretty comprehensive to help us fully debug problems on user systems. Access to the dumps is limited to engineers working on Docker for Mac and Windows, and we handle the dumps with care.

If you're not comfortable using the diagnostic feature, please access the logs after encountering this problem, remove any sensitive info and paste the relevant log snippet in this issue.

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 13, 2017

HI Friism,

Below is log excerpt which is logged when trying to share drive C.
Please note that F-secure software with my laptop, is not blocking anything. I added rule to allow all traffic from any IPv4 which is working without VPN.

Could you please take a look at this and provide solution for this issue why filesharing doesn't work with VPN?

log_excerpt.txt

@simonferquel

This comment has been minimized.

Copy link

@simonferquel simonferquel commented Jan 13, 2017

From the log, I see that you changed the IP settings of the VM (it says your host has IP 192.168.230.1, so your VM should have 192.168.230.2).
From the following lines, I see that the VM cannot reach port 445 on 192.168.230.1. By any chance, can you make sure that the IP settings you chose do not conflict with the VPN connection IP ? (or just dump your ipconfig /all here)

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 13, 2017

Hi Simonferquel,

Before or after opening VPN, I do see that "Ethernet adapter vEthernet (DockerNAT) 2" has

IPv4 Address. . . . . . . . . . . : 192.168.230.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0

Ofcourse there is new virtual adapter gets created with VPN is ON and it gets own IPv4 address 141.19x.xxx.xxx which is not conflicting with above docker Ethernet adapter IP address.

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 17, 2017

Hi,

Any ideas?

@simonferquel

This comment has been minimized.

Copy link

@simonferquel simonferquel commented Jan 19, 2017

Unfortunately no. It seems that Cisco AnyConnect include some kind of firewall blocking port 445. We'll need to investigate more thoroughly, but we need the proper Cisco infrastructure to test it.

@stuft2

This comment has been minimized.

Copy link

@stuft2 stuft2 commented Jan 20, 2017

I did what @johnrb2 did and it worked just fine for me. I don't think Cicso anyConnect has to block port 445 to work properly. If it did, then it wouldn't be working for me or johnrb2.

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Jan 23, 2017

Hi SpencerTuft,

Could you please let me know, what is subnet address/mask you tried?

@stuft2

This comment has been minimized.

Copy link

@stuft2 stuft2 commented Jan 23, 2017

@sugun999,
You may have an issue with your vpn settings and not the subnet addresses.

@sugun999

This comment has been minimized.

Copy link
Author

@sugun999 sugun999 commented Feb 15, 2017

Yes, I understood that it is specific our vpn. Hence closing this

@sugun999 sugun999 closed this Feb 15, 2017
@rn

This comment has been minimized.

Copy link
Contributor

@rn rn commented Feb 15, 2017

@sugun999 We obviously would like to work in environments with VPNs etc but unfortunately we have very little control over the VPN settings. We are looking into other options for filesharing which do not required the current network based setup but have not found a suitable replacement yet.

@libsamek

This comment has been minimized.

Copy link

@libsamek libsamek commented Mar 8, 2017

Thanks for this issue! It made me realize, that's it a routing problem. VPN clients usually add static routes, for example 10.0.0.0/8. That was routed to our corp network.

I solved the issue by using address space, which isn't used in our corp network, for example something from 172.16.0.0 - 172.31.255.255.

So for anyone experiencing same problems, check your routing tables first and than do the correct addressing based on that :)

@lucastheisen

This comment has been minimized.

Copy link

@lucastheisen lucastheisen commented Aug 23, 2018

@DiJu519 , the problem (for many of us) is that "Secured Routes" is set to 0.0.0.0/0. So no dice there.

@kamkie

This comment has been minimized.

Copy link

@kamkie kamkie commented Sep 16, 2018

maybe there is option to use hyper-v socket for file sharing?

@jrbecart

This comment has been minimized.

Copy link

@jrbecart jrbecart commented Nov 23, 2018

I don`t know why this issue was closed...
The problem is still here.

@lucastheisen

This comment has been minimized.

Copy link

@lucastheisen lucastheisen commented Nov 23, 2018

The only way i see around this would be to route the SMB/CIFS traffic through the npipe tunnel like they do for publishing ports. Our VPN is configured at the corporate level to capture all ip traffic 0.0.0.0 which includes the reserved ranges. I would really love to see the SMB/CIFS npipe routing, but think it may be to much of a boundary case to expect anyone else to implement it... (though i imagine there may be many other corporate VPN's that do the same thing...)

@jrbecart

This comment has been minimized.

Copy link

@jrbecart jrbecart commented Nov 28, 2018

Solution that works for my case are (from previous suggestions):

  • Ask for example this list of ip to be added in non-secured routes in the cisco anyconnect profile:
    127.0.0.0/8
    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

  • Use OpenConnect

@los93sol

This comment has been minimized.

Copy link

@los93sol los93sol commented Feb 28, 2019

Bump, please consider changing the way this works so that it works for those of us in these scenarios

@bdwyertech

This comment has been minimized.

Copy link

@bdwyertech bdwyertech commented Mar 1, 2019

If there was a way to override the destination address for SMB protocol from the Docker daemon, it would likely get around the secured route issue. You'd set it to the Cisco virtual adapters IP address and all the woes would likely go away as the restrictions apply to local IP's. AnyConnect babysits the local routing table metrics and makes sure everything flows out the virtual adapter, hence if the SMB destination was the AnyConnect adapter IP address, SMB would work.

@los93sol

This comment has been minimized.

Copy link

@los93sol los93sol commented Mar 1, 2019

Interesting...similar to others mine secures 0.0.0.0/0 and when looking at the routing tables I can see it literally overrides everything. Can you explain a bit more or point me to some documentation how routing SMB from Docker to AnyConnects virtual address would work in that scenario? I’m interested to stage some tests while running a pcap to better understand.

@bdwyertech

This comment has been minimized.

Copy link

@bdwyertech bdwyertech commented Mar 1, 2019

I don't have any documentation to point to, however I use this method when working remotely to allow certain tools to work... Take Packer as an example, it throws up a web server to serve up kickstart files. I noticed it didn't work when allowing Packer to choose the IP (typically my WiFi adapter), however inserting my Cisco AnyConnect adapters IP address in there made it work fine. I've also used this previously with Vagrant on VMware, which uses NFS/SMB for file sharing.

If you think about it, the network restrictions force everything out of that interface; its a catch all route with the best metric. Being that your laptop has an IP on the forced egress interface, if you bind all, e.g. bind to 0.0.0.0, then you're also listening on that interface and can communicate properly on it. With AnyConnect enabled, you've either got to use its IP or 127.0.0.1, and localhost is not routable so that leaves only a single option...

@julianiacoponi

This comment has been minimized.

Copy link

@julianiacoponi julianiacoponi commented Mar 29, 2019

Please can this be re-opened and addressed :) or at least figure some other way of running docker natively on windows with mounted volumes, whilst behind Cisco AnyConnect.

@kamkie

This comment has been minimized.

Copy link

@kamkie kamkie commented Mar 29, 2019

there is new version of Cisco AnyConnect 4.7 (it is using windows vpn infrastructure) in windows store, i will test that this weekend

@Jordaanwatson

This comment has been minimized.

Copy link

@Jordaanwatson Jordaanwatson commented Mar 30, 2019

I have a suggested 'fix' for this please follow instructions below:-

  • Within your docker settings uncheck "Start docker desktop when you log in"
  • Restart Machine
  • Now that machine is restarted open settings in Cisco anyconnect
  • Go to networks and then in the top right where all your network connections are listed click the arrow pointing to the right (Sorry i don't have screen shots) this should show a drop down with enable and disable click disable
  • Now start docker
  • Docker should now start and run the daemon this time.
  • Now spin up your container
  • Go back in to your Cisco any connect settings and enable the networking again
  • Your container should stay open and you should be able to access the ports all fine

All in all the issue i believe happens is the cisco anyconnect VPN controls all network adapters and docker cant own one so by briefly disabling the VPN to allow docker daemon to establish a connection this should fix your issues running docker along side the VPN this step has to be reproduced ever restart!

@kamkie

This comment has been minimized.

Copy link

@kamkie kamkie commented Mar 31, 2019

https://www.microsoft.com/en-us/p/anyconnect/9wzdncrdj8lh
using this version of Cisco AnyConnect i can use volumes when connected to VPN

@julianiacoponi

This comment has been minimized.

Copy link

@julianiacoponi julianiacoponi commented Mar 31, 2019

Thanks! I unfortunately use a non-microsoft store copy of AnyConnect and cannot find how to update my version from 4.6.03049 to 4.7+ ... any advice on how to do this appreciated! (Although I myself appreciate this is not relevant to this bug).

In the meantime, @Jordaanwatson I will try your method. However,I don't seem to have a "Networks" section in my AnyConnect settings?
image

@Jordaanwatson

This comment has been minimized.

Copy link

@Jordaanwatson Jordaanwatson commented Mar 31, 2019

@julianiacoponi Your version is very close to the one i use if im not at my work machine at the moment but if you can find there it lists your networks or even just find where you can disable the VPN and re enable once you have docker started and a container running. Let me know how you get on!

@jeffjwills

This comment has been minimized.

Copy link

@jeffjwills jeffjwills commented May 2, 2019

I also have this issue, I normally just kill Cisco to get around it but I can’t always do that. This issue is preventing me from recommending Docker to my organisation which is a shame.

Tried the Windows Store version of AnyConnect (4.7+) makes no difference for me.

Tried Jordaanwatson’s solution to disable Cisco, start a Docker VM, then enable Cisco but this doesn’t work for me.

I am going to try getting some IP ranges added to the non-secured routes.

I am also going to try OpenConnect to see if it works but this is not a solution I can let anyone else use as AnyConnect is Corporate Policy.

Fingers crossed enough people have this issue and a new version of Docker will have a workaround!

@asinoai

This comment has been minimized.

Copy link

@asinoai asinoai commented May 7, 2019

Had the same problem; to solve it, I switched to OpenConnect (https://github.com/openconnect/openconnect-gui/releases/tag/v1.5.3) as mentioned already, but also had to add to the docker deamon's config file the following: "bip" : "192.168.1.5/24", because the default was clashing with existing IPs (https://docs.docker.com/v17.09/engine/userguide/networking/default_network/custom-docker0/)

@brianwthomas

This comment has been minimized.

Copy link

@brianwthomas brianwthomas commented May 15, 2019

Would love a solution for this. I can't get this running in my corp environment either with VPN running

@var23rav

This comment has been minimized.

Copy link

@var23rav var23rav commented May 27, 2019

As @johnrb2 says the best way is to change the docker network.

When you do Folder sharing(volume mount) with wsl, you may face issue if there is any vpn connection enabled.

Solution, If you are using Cisco Any-connect,

  • Allow Local Connection from Preferences
  • Or, If you don't have the permission to allow Local Connection or You couldn't see this option
    try Change Docker Network to match any non secure routes of cisco any-connect to avoid this blocking

Network ranges can be found in
Cisco AnyConnects -> click on the settings(gear icon) -> Route Details -> Non-Secure Routes

Update Docker -> Settings -> Network -> Subnet addres and Subnet Mask to match non-secure routes from cisco any-connect

And restart the docker, if required rebuild the image.

image

@brianwthomas

This comment has been minimized.

Copy link

@brianwthomas brianwthomas commented May 28, 2019

If only it were that easy :(

I've cycled through about every network I can think of (192/172/1.1.1.0, etc...) All results in not being able to access the shared drive. Once off Anyconnect, it works fine.

Example error: docker.errors.APIError: 500 Server Error: Internal Server Error ("b'Drive sharing seems blocked by a firewall'")

Once I'm off Anyconnect I can hit the share drive just fine

@bartlomiejcieszkowski

This comment has been minimized.

Copy link

@bartlomiejcieszkowski bartlomiejcieszkowski commented May 28, 2019

@brianwthomas i've stumbled on this issue and unfortunately i wasn't able to do anything about this, but this is due to the cisco anyconnect having too aggresive routing.

As I was using the container to get compilation environment, I recall that i've had some success with it while being still off from vpn starting a container in interactive mode and then connecting to a vpn.. but my memory is a bit fuzzy there..

I've had also the same issue with a combo of VirtualBox + AnyConnect - once the vpn is on, the ping and ssh to a machine was impossible.

Also I tried some route mangling back then with no success, but this looks like a good direction to workaround the issue - see for reference:
https://forums.virtualbox.org/viewtopic.php?f=8&t=62403

@ericis

This comment has been minimized.

Copy link

@ericis ericis commented Oct 18, 2019

@var23rav

Network ranges can be found in
Cisco AnyConnects -> click on the settings(gear icon) -> Route Details -> Non-Secure Routes

We don't see "Non-Secure Routes", only "Secured Routes (IPv4) - 0.0.0.0/0"

docker-shared-drives

@Jay1305

This comment has been minimized.

Copy link

@Jay1305 Jay1305 commented Nov 7, 2019

Wow realized that the issue was created in the year 2016! I am still experiencing the issue when connected to Cisco VPN. As others pointed, I do see only secured routes with 0.0.0.0/0. Could there be any hack for us from docker side? I followed troubleshooting steps from - https://success.docker.com/article/error-a-firewall-is-blocking-file-sharing-between-windows-and-the-containers and still experience the same issue. Yes, we all know when we stop VPN, it works and when we start VPN, it stops working, so it would be some issue at VPN side. But can some master from Docker please help us? Thanks in advance.

@kumarjoshi

This comment has been minimized.

Copy link

@kumarjoshi kumarjoshi commented Dec 23, 2019

I tried everything listed here and on https://stackoverflow.com/questions/42203488/settings-to-windows-firewall-to-allow-docker-for-windows-to-share-drive/47975648

Nothing worked for me.

I run my dev environment on a docker container, and while on Corporate VPN (Cisco AnyConnect), I need the to mount my local drive on the container to access my project files.

Here's a docker hack that worked for me: Add --publish 8000:8000 to your existing docker run command

So
docker run -v C:/Users/kumar.joshi/KumarData:/mnt --name dev <image:latest>

will become
docker run -v C:/Users/kumar.joshi/KumarData:/mnt --name dev --publish 8000:8000 <image:latest>

Make sure the port is not used else you will get this error:
Bind for 0.0.0.0:8000 failed: port is already allocated

@mat007

This comment has been minimized.

Copy link

@mat007 mat007 commented Dec 23, 2019

@kumarjoshi have you tried the latest edge version? We have completely rewritten how drive sharing works so that will likely fix your issue.

@bartlomiejcieszkowski

This comment has been minimized.

Copy link

@bartlomiejcieszkowski bartlomiejcieszkowski commented Dec 23, 2019

@mat007 how does the new sharing work? Did you guys change anything related to samba mount? As there was problem with using mounted shares under windows/mac and forcing to 64bit inode - making it impossible to do thibgs with 32bit software - making docker not feasible solution under windows when i tried to deploy it

@mat007

This comment has been minimized.

Copy link

@mat007 mat007 commented Dec 24, 2019

We have replaced Samba with a FUSE based implementation, there is no Samba anymore.
I suggest you give it a try and open fresh issues if needed.

@chrisps-dev

This comment has been minimized.

Copy link

@chrisps-dev chrisps-dev commented Jan 28, 2020

I managed to get around the issue by setting my docker windows subnet address to 192.0.2.0, this was in the route details section of my cisco anyconnect settings under a subheading Non-secured Routes (IPV4), may be helpful to some, may not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.