08-07-2018 09:23 AM - edited 02-21-2020 09:26 PM
recently we upgraded our vpn hardware platform. Because I needed both VPNs to be up simultaniously (multiple profiles tied to respective URLs), we decided to move one profile (URL) at a time. After changing the DNS record for one of the VPN URLs, not all of the clients migrated. We still had a handful that kept connecting to the old vpn. After ruling out DNS TTL and such, we discovered the hosts files on those clients have been modified - the URL for the VPN was tied to the OLD vpn hardware. looking at documentation and older forum posts, it says that the headend does a dns lookup and could modify client's hosts files. well, doing a DNS lookup on the old appliance - it does indeed resolve the VPN URL to the new appliance's IP. I work in a HEAVY BYOD environment, so this is a massive pain for me to find the users, then instruct them how to remove host file entries. could something be done on the old firewall to remove/update the hosts file entry?
old appliance is an asa 5550, running code asa917-23, anyconnect version 3.1.10010 (I know its old, the new appliance is up to date)