Cisco Secure Client in dedicated sys-net

Hi all,

I have following setup → as usual sys-net and sys-firewall machines for providing network. Behind sys-firewall I do have several sys-vpn-* machines where different VPN connections are defined (basically for every VPN I need to open, i have dedicated sys-vpn-* machine). This enables me to work on several different networks in paralel (of course from different appVMs).

I have a case where I have to use Cisco Secure Client instead of openconnect (which works perfect anyway,…). Once I establish VPN using Secure Client in dedicated sys-vpn-*, the connected appVM does not have any network connection which is routed to the Secure Client tunnel.

Is there anybody who has idea how to make this? Any guide for troubleshooting?

Thank you.

How are you checking that there is no network in the connected app qubes?
Maybe it’s just and issue with DNS resolution, try to access the IP address directly in the app qube e.g.:

ping 9.9.9.9
curl https://9.9.9.9

Check that Secure Client is creating the route through its tunnel with higher priority than the default route in the main table in sys-vpn:

ip rule
ip route
ip route show table Secure_Client_Table

Also check the firewall rules, maybe Secure Client is adding some rules incompatible with Qubes OS in sys-vpn:

nft list ruleset