updating the doc with anyconnect vpn conflicting software #5989
Conversation
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
1 similar comment
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
| ```hcl | ||
| v4_prefix = "172.16.0.0/12" | ||
| ``` | ||
| This configuration was tested successfully and resolved the issue. |
There was a problem hiding this comment.
I think we can remove this line
| This configuration was tested successfully and resolved the issue. |
|
|
||
| When you run the Cisco AnyConnect VPN at the same time as the Boundary Client Agent, DNS resolution may fail for Boundary aliases. | ||
|
|
||
| **Root cause**: |
There was a problem hiding this comment.
| **Root cause**: |
There was a problem hiding this comment.
I think these paragraphs are short and easy enough to understand that we don't need additional headings here.
| When you run the Cisco AnyConnect VPN at the same time as the Boundary Client Agent, DNS resolution may fail for Boundary aliases. | ||
|
|
||
| **Root cause**: | ||
| The Boundary Client Agent runs on the default IPv4 range `100.x.x.x`. Cisco AnyConnect VPN treats this range as a *secured range*, which forces DNS queries to resolve through the VPN instead of the Boundary Client Agent. As a result, Boundary aliases cannot be resolved. |
There was a problem hiding this comment.
| The Boundary Client Agent runs on the default IPv4 range `100.x.x.x`. Cisco AnyConnect VPN treats this range as a *secured range*, which forces DNS queries to resolve through the VPN instead of the Boundary Client Agent. As a result, Boundary aliases cannot be resolved. | |
| The Boundary Client Agent runs on the default IPv4 range `100.x.x.x`. Cisco AnyConnect VPN treats this range as a **secured range**, which forces DNS queries to resolve through the VPN instead of the Boundary Client Agent. As a result, Boundary aliases cannot be resolved. |
There was a problem hiding this comment.
We use bold for emphasis instead of italics because italics can be difficult for some people to see.
| **Root cause**: | ||
| The Boundary Client Agent runs on the default IPv4 range `100.x.x.x`. Cisco AnyConnect VPN treats this range as a *secured range*, which forces DNS queries to resolve through the VPN instead of the Boundary Client Agent. As a result, Boundary aliases cannot be resolved. | ||
|
|
||
| **Workaround**: |
There was a problem hiding this comment.
| **Workaround**: |
| The Boundary Client Agent runs on the default IPv4 range `100.x.x.x`. Cisco AnyConnect VPN treats this range as a *secured range*, which forces DNS queries to resolve through the VPN instead of the Boundary Client Agent. As a result, Boundary aliases cannot be resolved. | ||
|
|
||
| **Workaround**: | ||
| You can configure the Boundary Client Agent to use a different IPv4 prefix by setting the `v4_prefix` option in the client configuration file. This overrides the default `100.x.x.x` range and avoids the conflict with Cisco AnyConnect VPN. |
There was a problem hiding this comment.
| You can configure the Boundary Client Agent to use a different IPv4 prefix by setting the `v4_prefix` option in the client configuration file. This overrides the default `100.x.x.x` range and avoids the conflict with Cisco AnyConnect VPN. | |
| You can configure the Boundary Client Agent to use a different IPv4 prefix by setting the `v4_prefix` option in the client configuration file. This setting overrides the default `100.x.x.x` range and avoids the conflict with Cisco AnyConnect VPN. |
There was a problem hiding this comment.
Minor rewrite to make it more clear what "This" refers to.
| <Note> | ||
| The `v4_prefix` can be set to any valid RFC1918 private IPv4 range, as long as it does not overlap with ranges secured by the VPN. Common options include: | ||
| - `10.0.0.0/8` | ||
| - `172.16.0.0/12` | ||
|
|
||
| Choose a range that best fits your environment. | ||
| </Note> |
There was a problem hiding this comment.
| <Note> | |
| The `v4_prefix` can be set to any valid RFC1918 private IPv4 range, as long as it does not overlap with ranges secured by the VPN. Common options include: | |
| - `10.0.0.0/8` | |
| - `172.16.0.0/12` | |
| Choose a range that best fits your environment. | |
| </Note> | |
| <Note> | |
| You can set the `v4_prefix` to any valid RFC1918 private IPv4 range, as long as it does not overlap with ranges secured by the VPN. Common options include: | |
| - `10.0.0.0/8` | |
| - `172.16.0.0/12` | |
| Choose a range that best fits your environment. | |
| </Note> |
There was a problem hiding this comment.
Minor rewrite to use active voice instead of passive ("You can set...").
I added a line space before the bulleted list so it renders correctly. I also added a line space after the opening Note and before the closing Note to ensure that your Markdown renders correctly.
Description
Tested the issue - ICU-17183 for Cisco Anyconnect VPN and have documented the findings and workaround as part of this PR.
PCI review checklist
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.