Wsl2 Vpn Anyconnect

Posted onby

Internet connection and DNS routing are broken from WSL2 instances, when some VPNs are active.The workaround breaks down into two problems:

These release notes provide information for AnyConnect Secure Mobility Client on Windows, macOS, and Linux platforms. An always-on intelligent VPN helps AnyConnect client devices to automatically select the optimal network access point and adapt its tunneling protocol to the most efficient method. Openconnect solved the issues I experienced with Cisco Anyconnect Client both from store and the stand alone client failed getting any internet access when using WSL2 but Openconnect did:) level 1 1 point 5 months ago.

This entry was posted in VMware, Windows and tagged AnyConnect, Cisco AnyConnect, Networking, VMWare Workstation, Workstation, WSL, WSL2 by jog. Bookmark the permalink. 18 Replies to “WSL2 issues – and how to fix some of them”.

  1. Network connection to internet
  2. DNS in WSL2

This problem is tracked in multiple microsoft/WSL issues including, but not limited to:

  • microsoft/WSL#5068
  • microsoft/WSL#4277
  • microsoft/WSL#4246

Network connection

When the VPN connection is active, network traffic out of WSL2 is not passed to the internet.

Changing the Interface Metric 1 -> 6000 for AnyConnect VPN Adapter resolves the connection issue, but this has to be done after each time the VPN connects.

By default, the Interface Metrics for AnyConnect are:

  • IPv6: 6000
  • IPv4: 1

ping times out from WSL Shell.

Changing the Interface Metrics for AnyConnect to:

  • IPv6: 6000
  • IPv4: 6000

ping to IP Addresses succeed, but still no DNS Resolution.

DNS Resolution

Vpn Anyconnect Download

When the VPN is active, the autogenerated /etc/resolv.conf does not work. The list of nameservers must be manually built to include some sane default DNS Name Servers and the DNS from the VPN.

First, disable automatically generating /etc/resolv.conf.Add the following configuration, or create the file if it doesn't exist. The path to this file is from the shell prompt of your WSL2 instance.


Next, manually add the corportate DNS Server as the first nameserver in /etc/resolv.conf.


Wsl2 Vpn Anyconnect

To get <corporateDNS> addresses, use ipconfig /all from CMD or Powershell prompt, and check the details of the VPN adapter:

Automatically update Interface Metric

To automate this, I put the PS command in a script and created a Scheduled Task to run every time there is a network change.

Wsl2 Vpn Anyconnect Client

Save the script in a file

First, create the script. I have a 'scripts' directory in my Windows user home, so I put it at:


You can save it where you want, just make sure to use that path in step 13 below.

Cisco Vpn Anyconnect

Create the scheduled task:

  1. Open 'Task Scheduler'
  2. Click 'Create Task' on Right Sidebar
  3. Name: Update Anyconnect Adapter Interface Metric for WSL2
  4. Set Security Options
    • Check box: 'Run with highest priveleges'
  5. Select 'Triggers' Tab
  6. Click 'New' at bottom of Window
  7. Open 'Begin the task' drop-down
  8. Select 'On an Event'
  9. Configure Event:
    • option 1: Trigger on any Network Change
      • Log: 'Microsoft-Windows-NetworkProfile/Operational'
      • Source: 'NetworkProfile'
      • Event ID: '10000'
    • option 2: Trigger only when AnyConnect Client successfully connects to VPN
      • Log: 'Cisco AnyCOnnect Secure Mobility Client'
      • Source: 'acvpnagent'
      • Event ID: '2039'
  10. Click 'OK'
  11. Select 'Actions' Tab
  12. Click 'New'
  13. Configure Action:
    • Action: 'Start a Program'
    • Program/script: 'Powershell.exe'
    • Add arguments: '-ExecutionPolicy Bypass -File %HOMEPATH%scriptsUpdateAnyConnectInterfaceMetric.ps1'
  14. Click 'OK'
  15. Select 'Conditions' Tab
  16. Uncheck box:
    • Power -> Start the task only if the computer is on AC Power
  17. Click 'OK'

When AnyConnect finishes connecting, a Powershell window pops up for a couple seconds and WSL can reach the network.