Cisco AnyConnect and Hyper-V – Connect to a VPN from Inside a VM Session

Clients and VMs and VPNs, Oh My!

As regular readers of this blog may be aware, I recently hung up my technical evangelist hat, and made the jump back into full-time consulting.

Consistent with best practices, I decided that when working with a new client, the best course of action would be to set up a new virtual machine to keep all of the development environment, tools, and files isolated from anything on my host machine, which helps minimize the risk that installing the latest bleeding-edge tools (which are good to have to stay ahead of the learning curve) don’t endanger the work I’m doing for the client.

With my current client, I need to be able to access files, servers, and tools on their remote network, which they enable via the Cisco AnyConnect VPN client software. So far, so good. I had no trouble at all installing and connecting with this software from my laptop over my FiOS connection. Just like being at the office.

The Tricky Part

Unfortunately, the VPN connection does not pass through to the virtual machine I set up, using client Hyper-V on Windows 8.1 (update 1). Which is interesting, because while I was onsite recently, when I connected to the LAN directly via cable, that connection would pass through to the VM. But since I’m not a networking geek, I’ll leave that to others to explain.

So, the next step was to try installing the VPN client software in the VM itself. But it was not to be. The client software installs fine, but I found that when I tried to connect, I’d get the following error message:

AnyConnect_NoRemote_2

OK, so now what? Well, truth be told, since I didn’t have time to troubleshoot this immediately, I set the problem aside for a while, which can be a good way to let your brain work on the problem while you’re doing other things.

Or sometimes, you get lucky…this was one of those times.

Basic or Enhanced?

By good fortune, this morning, I ran across a brief blog post by Osama Mourad (No, not the same person who runs one of the CMAP Special Interest Groups), which suggested that connecting the VPN was possible “if connected to the VM using Hyper-V Manager.” A bit cryptic, but it gave me hope that it was at least possible.

Here’s where luck comes in. I was trying to see if there was a different way to connect to the VM from Hyper-V Manager, when I noticed that if I did not have the VM session window full-screen, there is an icon at the end of the toolbar that looks like this:

BasicSession_2

That button switches the VM session from Enhanced Session Mode (the default in newer versions of Hyper-V), which uses a Remote Desktop Connection to interact with the VM, to Basic Session Mode, which provides simple screen, keyboard, and mouse redirection.

And beautifully, it turns out that in Basic Session Mode, connecting the VPN works just fine. And once connected, you can switch back to Enhanced Session Mode, and the VPN will remain connected.

Conclusion

Using a virtual machine is a good practice for keeping your client environment isolated from your day-to-day experiments or bleeding edge tools, etc. And it also has the advantage of making the environment portable. You can store the VM files on a portable drive, or copy them from one machine to another if you need to migrate systems.

But along with the convenience comes the occasional head-scratcher or stumbling block. I hope that this post will help anyone else who runs into this particular issue resolve their problem.

You can learn more about Enhanced Session Mode from this TechNet article. My thanks to Osama for the clue that helped me track down the solution.

30 thoughts on “Cisco AnyConnect and Hyper-V – Connect to a VPN from Inside a VM Session”

  1. Thank you very much, this saved me from having to figure out a work around. I was going to sleep on it to see if anything came to me, but thanks to you… I can have have a better dream!
    Cheers,
    Scott

    1. @Scott Glad to hear it helped you. I wish it were a little more convenient, but it’s something I use every day myself.

    1. Not sure I understand the question, but if you’re not running a Virtual Machine, you don’t need my tip at all. Perhaps you could elaborate?

  2. The any connect VPN client disables ip forwarding. I’m assuming hyper-v vm’s are using NAT, in which case it would be unable to forward the traffic on to any private subnets.

  3. Great blogpost. Solves a common problem with a quick and simple solution.

    You could get your VPN admins to allow remote desktop logon but to get that through is just so much harder. (and might be a security risk)

    Also I love that you have checked that you can turn back on enhanced mode. That’s actually quite good to have the enhanced mode capabilities on hand also when on VPN. 🙂

  4. I have same issue. Thank you for the tip.
    This is what happen. In anyconnect profile there is a parameter

    It can have at list 2 values
    AllowRemoteUsers
    or
    LocalUsersOnly

    if it set to AllowRemoteUsers no problem you may use a remote desktop

    if not 🙂 you got a solution
    Best wishes, and thank you again for the tip

  5. Great tip switching to Basic to get AnyConnect to work.

    Using Basic Session you lose the Clipboard Copy and Paste between the Host and Guest OS.

    Is there any way to have both?

    1. Yes, sort of. After you’ve established your connection in Basic mode, you can switch back to enhanced and the vpn will still be connected.

  6. We were trying to establish a VPN connection with Cisco AnyConnect from a Win 10 VM (Hyper-v Manager Version: 10.0.19041.1)
    and it works like a charm!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.