06-21-2009 10:19 AM - edited 02-21-2020 03:31 AM
I have a MacOS X IPSec client that isn't receiving the split-dns setup from my ASA 5505.
Here's the relevant data from my ASA device:
group-policy vpnpolicy attributes
wins-server none
dns-server value 192.168.1.3
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
default-domain value workdomain1.com
split-dns value workdomain1.com workdomain2.com.local
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
address-pool vpnpool
authentication-server-group vpn
authentication-server-group (inside) vpn
default-group-policy vpnpolicy
The second domain isn't being passed to the client. Here's the resolv.conf before/after IPSec connection:
mark-petersons-macbook-pro:~ peterson$ more /etc/resolv.conf
domain myhomedomain.net
nameserver 68.94.156.1
nameserver 151.164.8.201
/etc/resolv.conf (END)
mark-petersons-macbook-pro:~ peterson$ more /etc/resolv.conf
domain workdomain1.com
search workdomain1.com
nameserver 68.94.156.1
nameserver 151.164.8.201
/etc/resolv.conf (END)
Any ideas what the problem could be?
06-29-2009 01:29 PM
When an ISP's DNS server is included in the Split Tunneling Network List and Split DNS Names are configured, all DNS queries to domains other than those in the Split DNS Names list are not resolved.
By definition, split DNS is used so that only certain domains get resolved by corporate DNS servers, while rest go to public (ISP-assigned) DNS servers. To enforce this feature, the VPN Client directs DNS queries that are about hosts on the Split DNS Names list to corporate DNS servers, and discards all DNS queries that are not part of the Split DNS Names list.
The problem occurs when the ISP-assigned DNS servers are in the range of the Split Tunneling Network List. In that case, all DNS queries for non-split-DNS domains are discarded by the VPN Client.
To avoid this problem, remove the ISP-assigned DNS server from the range of the Split Tunneling Network List, or do not configure split DNS (CSCee66180).
06-29-2009 01:42 PM
I'm not quite sure I understand. My home ISP is assigning me two DNS servers - 69.94.156.1 and 151.164.8.201. My corporate DNS server - as configured by my VPN settings on the ASA - is 192.168.1.3.
There is no overlap between my split-tunnel list and the 2 ISP-assigned DNS servers. The split-tunnel list includes 192.168.1.x, 192.168.2.x, 192.168.10.x, and 192.168.99.x. That's it. The problem is that the second domain that I've specified in my search list isn't being passed on to the client. I've even tried switching the order of the domains - no luck.
Any other suggestions?
10-28-2009 12:27 PM
Did you get any solutions for this problem? I am experiencing similar issue trying to configure split-dns for my sslVPN users using anyconnect vpn client version 2.3.2016.
11-04-2009 01:38 PM
Split dns is not supported on Anyconnect...
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1135689
11-05-2009 01:02 PM
It is now on AnyConnect 2.4. From the release notes:
New Feature Overviews
The following sections describe the new features in Release 2.4:
â¢Split DNS Fallback
Split DNS Fallback
If the group policy on the security appliance specifies the names of the domains to be tunneled, AnyConnect tunnels only DNS queries that match those domains. It refuses all other DNS queries. The DNS resolver receives the refusal from the client and retries, this time using the public interface instead of AnyConnect.
This feature requires that you:
â¢Configure at least one DNS server
â¢Enable split-tunneling
03-23-2010 08:30 PM
Seeing a similar issue with AnyConnect 2.4.1012.
Config I have on a IOS device works perfectly on a Windows client, but on a Mac OS X 10.5 client it's not playing ball.
In terminal, I can do a 'host' on a server that resides at the other end of the SSL VPN, but if I try and ping it, it's replying that the host is unknown:
(host names changed)
acid:~ drew$ ping www.internal.server.com
ping: cannot resolve www.internal.server.com: Unknown host
acid:~ drew$
06-02-2010 08:23 AM
Any progress on this issue? I have a MAC user that is experiencing the Split-DNS problem using the IPSEC client as well - only queries for names in the first domain in the Split-DNS list is actually being tunneled to the corporated DNS server.
Has anyone opened a TAC case to work this issue?
06-02-2010 06:38 PM
I'm not having an issue with 2.5.0217 client now. They recently released this from Beta. Have you tried that?
08-05-2010 11:05 AM
I opened a TAC case as the 2.5 client is still not working here. The Windows version works fine. Will keep you guys posted.
08-05-2010 02:01 PM
Just got a reply from Cisco, this is a confirmed bug [CSCtf20226] in Mac OS X 10.6. Their workaround is to explicitly define external DNS servers. I used the Google public DNS servers and this indeed works as expected.
(config-webvpn-group)#svc dns-server primary 8.8.8.8
(config-webvpn-group)#svc dns-server secondary 8.8.4.4
Hope this helps anyone.
12-13-2011 03:10 PM
Sander,
I want to thank you. You are a life-saver. However, I want to go a step further in the solution you propose. If you go to this link below, you will find a document titled "PIX/ASA: perform DNS Doctoring with the Static Command and Two NAT Interfaces"
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
While the majority of the content doesn't pertain to this issue, there is a portion that most certainly does - under the heading "Split-DNS Configuration". There, it tells you that you can create a domain list that specifies specififc domains - that if matched - will force ALL TRAFFIC FOR THAT DOMAIN through the tunnel. Therefore, if you have services in your company that need to be accessed via VPN over the browser and you are experiencing issues due to the split-tunnel, create a domain list under the the tunnel's group-policy like this:
yourfirewall(config)# group-policy VPN-POLICY attributes
yourfirewall(config-group-policy)# split-dns yourcompany.com
yourfirewall(config-group-policy)# end
yourfirewall(config)#
Now, all traffic with a domain suffix of "yourcompany.com" will always be directed through the tunnel. Remember that you need to define internal DNS servers under the policy as well if you intend to resolve those internal domain hostnames.
12-14-2011 12:57 AM