Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Cisco ASA Split-DNS With Some IPv6 Clients Not Working

rfranzke
Level 1
Level 1

‎01-12-2018 07:24 AM - edited ‎03-12-2019 04:54 AM

Greetings all. So I have an issue with the Split-DNS feature over Anyconnect SSL client based VPN. Running Anyconnect 4.3 with ASA code 9.6(3)1. We use both the split-tunneling and split-dns features to selectively direct network and dns queries to our remote DNS servers and networks. This works fine for most of our users. We are not yet using IPv6 over our VPN setups because we still have too many legacy devices on our network which do not support IPv6 fully.

Some of my users have been experiencing an issue where Split-dns is not working for them. Lookups for names sent over the tunnel using split-dns work fine, but any lookups not sent over the tunnel fail. Meaning that a lookup of host.internaldomain.com work fine, but a lookup of www.google.com would fail. If they disconnect from the VPN, Internet resolution works for them. As a work around I have them disable IPv6 on their network adapter, and then the split-dns feature works perfectly. With IPv6 enabled on their end, split-dns feature stops working. I run IPv6 on my home network and do not have any issues with the split-dns feature and therefore cannot reproduce their problem. When looking at my anyconnect client, I see the following in the information section:

 

Cisco AnyConnect Secure Mobility Client 4.3.03086
(Fri Jan 12 08:57:58 2018)

Connection Information
Tunnel Mode (IPv4): Split Include
Tunnel Mode (IPv6): Drop All Traffic

 

What I am wondering is if because our clients are using "Drop All Traffic" for IPv6, when the trouble users machines try and do lookups outside the tunnel, they use an IPv6 DNS server as configured by their ISP, and because the VPN tunnel is set to drop all IPv6 traffic, the lookup never works because it gets dropped. You can see here in my Windows IPCONFIG output that I have an IPv6 DNS server listed as one of my local resolvers:

 

DNS Servers . . . . . . . . . . . : 2001:470:X:X::X
172.16.0.20
172.16.0.21

 

But when I do Internet lookups (lookups outside the tunnel) it works fine with my IPv6 config. Is there some sort of config in the splitdns feature to not do anything with IPv6 name lookups over the tunnel? Any idea on what I have wrong here? I really am not sure why disabling IPv6 on their client machines would have any affect but it does.

 

Here is my config for split DNS:

group-policy colo-anyconnect-ras attributes
wins-server none
dns-server value 10.20.20.105 10.20.20.106
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value colo-ras-split-tunnel
default-domain value internaldomain.int
split-dns value domain.com internaldomain.int domain2.com
split-tunnel-all-dns disable
address-pools value colo-ras

 

Any help is much appreciated. Thanks.

5 people had this problem
Labels:
Who Me Too'd this topic