Since version 14 (and now 18.04), when connecting to my job cisco VPN (with openConnect), I always struggle to make the work’s okta domains working correctly.
Wen wire’s connected from my job, everything is working just fine. However, when connected from my home (with wifi), it is a nigthmare.
First I had issues with local domains like gitlab but this was resolved by adding the local domain to the “Additional search domains” of the vpn connection configuration. At first, I though it would also solve my problem with the mywork.okta_com but it did not.
When I’m from home and I connect to the vpn, I try to reach mywork.okta_com but it do not work. I have an ERR_EMPTY_RESPONSE. This is a nightmare since okta is the SSO for several applications used at the job.
The workaround I found that is working, is that before connecting to the vpn, I actually go to mywork.okta_com do the whole login process (with push notification), then connect to the vpn and just then I can now access mywork.okta_com and also my application depending on okta authentication. Note that I also did some DNS flush on ubuntu nad chromiun.
I think you are right, it sounds like a VPN config issue.
Couple things to check though are: does your VPN split tunnel? Do the DNS servers get updated when you connect? If so is it the DNS settings that are causing the problem?
bdemers, I took some time to look at your quetsion. I think I’m not under split tunnel since I did not do any sort of configuration however, I’m not sure since I did a traceroute of google both with and without the vpn and it does not go through the same IPs (see below) so I’m gessing that www.google_com is not going under the VPN.
I also done a traceroute of mywork.okta.com and it use different path when being under VPN compare when not under VPN.
For the DNS servers getting updated not sure how to check that, for the DNS setting causing problem maybe. Surely it is around DNS since often clearing ubuntu dns cache and chromiun dns cache it solve my problem. However, at the same time under windows, I never encounter those problems.
Do you have some commands to use to check those DNS stuff?
$traceroute www.google_com
traceroute to www.google_com (172.217.12.164), 30 hops max, 60 byte packets
1 _gateway (192.168.2.1) 3.575 ms 3.524 ms 3.494 ms
2 10.11.16.113 (10.11.16.113) 5.672 ms 5.647 ms 5.626 ms
3 10.178.206.164 (10.178.206.164) 5.125 ms 5.113 ms 5.090 ms
4 10.178.206.165 (10.178.206.165) 5.475 ms 5.461 ms 5.437 ms
…
traceroute www.google_com
traceroute to www.google_com (74.125.141.106), 30 hops max, 60 byte packets
1 mynetwork (192.168.2.1) 3.557 ms 3.511 ms 3.484 ms
2 10.11.16.113 (10.11.16.113) 5.756 ms 5.739 ms 5.734 ms
3 10.178.206.164 (10.178.206.164) 5.359 ms 5.351 ms 5.329 ms
4 10.178.206.165 (10.178.206.165) 5.605 ms 5.582 ms 5.559 ms