IssueTracker

Any timing on this fix, this is also affecting the Cicso AnyConnect VPN Client?

This is being investigated.  I can't give any release timing info at this
point.

It's quite important issue for all of VPN clients. Can I ask how it is going with the timing which is fixed this issue?

Can we expect this fix in the coming update from Android. It really important.

i am impacted too, please a fix !

I am impacted as well. Makes it hard to do any kind of real development without it.

Please fix!

[Comment deleted]

Why don't you fix this in fast? It makes many problem like as too fast battery consumption due to not disconnected with idle timeout. It's not just a problem.

Looks like this is impacting devices with cisco anyconnect vpn - they cannot wifi proxy.

This one of the minimum features I was expecting (it was working in earlier releases). I am very disappointed to see that vpn - proxy is failing now.

Please fix this as soon as possible.

Do not make us feel bad for ordering Nexus immediately on its release.

Update 4.4.2 just released on TMobile.  Yay!  With known bugs going back 3 months?!?!  Please fix ASAP!

Same problemi here.
After buy nexus5, anyconnet stop to resolve DNS, i have to go back and use another phone

This problem has already been reported 5 months ago and I have several users that can't fully use the vpn functionality on their Nexus 5 device.
When can we expect a result?

Is there any plan to fix it? It is very disappointing that a known issue hasn't been fixed for 6 months...

This issue is disabling me from registering my Jabber for Android application to Cisco's Communications Manager for Phone Services. When can we expect this issue to be resolved?

Hi - has there been any progress on getting these issues fixed?

Has there been any progress made towards resolving this issue? Please fix soon!

Why is this issue still in Assigned State. Shouldn't it be fixed by now. Can we expect this is to be fixed in Lollipop update?

Confirmed working on Android 5.0 + AnyConnect 4.0.01110

I just upgraded my note 10.1 to the latest android kitkat 4.4.2
I use anyconnect at the Univ. and it does not work ( although it worked on android 4.3.2)
Is there any fix?

This bug is fixed in Lollipop, so you need an Android 5.0 update for the Note 10.1.

Speak to Samsung ;-)

I upgraded my Nexus 5 to Lollipop. I still see that the Wifi Proxy setting + Cisco Anyconnect is not working. I am not sure if someone could verify this.

Build: LRX210
AnyConnect Version: 4.0.01156

@rajaling.
Even the same is continuing for me after the update to Lollipop 5.0 on my Nexus. I think the only option I have is to switch to iOS. This people have not address this main issue and instead Nexus 5 have started will all new problems after the update. Battery drain issue. Unnecessary threads running in background.

Same problem for me.  Samsung S5 (G900VVRU1BOA8) using OpenVPN.  DNS worked fine before upgrading to Lollipop.  I can ping sites by IP address only.  When I disconnect the VPN, DNS is restored.

Seeing this on a Dell Venue 8 with Lollipop.

Upgraded my Samsung S5 to G900VVRU1BOC4, but it didn't fix this.

Workaround: it's been reported above that the return address of the DNS query is (erroneously) my phone's address on the VPN network, so I installed a simple name server "dnsmasq" on my OpenVPN server, and set push "dhcp-option DNS my.server.ip".  dnsmasq is really easy to set up and uses my /etc/hosts for my LAN plus upstream DNS servers to forward and cache.

So now my android phone uses my VPN server for DNS queries, which works because the return address of the packet is on that network.  Whether I'm using somebody's WiFi or Verizon's LTE.

I'll retry without this kludge next time Samsung sends an update. You'd think enough people use VPN with their android phones that it would be a higher priority, but what do I know.

[Comment deleted]

Just upgraded today to Samsung stock rom lollipop 5.0.1 BuildDate: 23 March 2015 on my Samsung Galaxy S4. It seems that I am also facing the DNS NAT issue reported here using the latest Cisco AnyConnect VPN client available. Routing is fully functionnal within or outside the tunnel interface, the same split tunnel VPN configuration was 100% stable with Jelly Bean 4.3 prior upgrade. Only DNS resolution seems to have issues when connected over VPN with new lollipop.

Nslookup works with default dns servers obtained from vpn server but ping doesn't resolve any hostnames.

Not sure where the problem lies yet and if it's really source IP that is screwed up, I am very disapointed to hear that this bug has been reported more then a year ago on 4.4 and has been transported to 5.0 without any real fix. Worth to mention that this split tunnel VPN server configuration works fine on IOS and Windows clients with AnyConnect.
 
Was it fixed in 5.1.0?

[Comment deleted]

After troubleshooting my AnyConnect VPN;

With split tunnel VPN configurations; The dns queries have to be routed in tunnel  interface as stated above. You cannot use an external DNS server, the IP source NAT bug isn't fixed and is still present on a Lollipop 5.0.1 stock build from Samsung.

Split DNS is now problematic and wasn't with 4.3, you cannot use a split dns configuration with Kitkat 4.4 or Lollipop 5.0. Configured domains for split dns are appended to all DNS queries which results in an unknown host.

AnyConnect issue or Android issue?

[Comment deleted]

[Comment deleted]

This fix for this particular defect was not incorporated in Samsung Android 5.0.x releases for some reason although it was fixed by Google in Android 5.0.

This is not a bug in AnyConnect and unfortunately is not something AnyConnect is able to workaround. The only workaround for affected devices, whether Android 4.4.x or 5.0.x Samsung devices without a fix is to disable use of a public/split DNS configuration for a VPN connection.

I'm still seeing this on my Nexus 4 with Lollipop 5.1.1 (verified with Wireshark).  Was this fix included in all builds?

I have been looking into this issue further, trying to establish the cause of this problem.

I started logging all traffic through iptables (viewing with dmesg) with

    iptables -t nat -A OUTPUT -j LOG --log-uid --log-level debug --log-ip-options

This showed that certain UDP packets (including DNS and QUIC) weren't having their source IP rewritten.

I couldn't determine which ip or netfilter rule causes this, however the issue can be resolved with rooted phones by adding the iptables rule

    iptables -t nat -A POSTROUTING -p udp -j MASQUERADE

(Sorry for the chain of replies)

I've also found a workaround that doesn't require root.  Wherever UDP connections are established in the VPN, if you explicitly bind the socket to the local IP address, then connections will work again:

    InetSocketAddress sa = new InetSocketAddress(localIP, sourcePort);
    outputChannel.socket().setReuseAddress(true);
    outputChannel.socket().bind(sa);

Hope that helps someone.