cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
524
Views
0
Helpful
6
Replies
asmlicense
Beginner

DNS resolution issue

Good Day to everyone.

We have central cite with remote branches, which are connected via DMVPN.

Few days ago we tried to connected another branch, which isn't in DMVPN connection and is on another ISP. We connected them via site-to-site. Everything works fine, there is an ISP connection, VPN connection, APs connected to central WLC and working fine too.

There is one issue - browsers on PC can't resolve and open any website. Our local sites are working fine, but internet sites aren't opening.

Ping to isp, ping to google.com and etc works fine. It resolves google, but browsers don't open any page. I've tried every possible thing, but wasn't successful. I also post here config of our branch router&switch. Maybe some of you will be able to help me.

Thanks in advance!

6 REPLIES 6
paul driver
VIP Mentor

Hello

Have you tried hardcoding a client dns setting to see if you are able to connect?
Is it possible they have any static host file entries?

Your dhcp scope for the clients is pointing towards your ntp server and your nat acl is incorrect

no ip dhcp excluded-address 10.127.225.130 10.127.225.140
no ip access-list extended ACLFORNAT

 

ip dhcp pool DATA
no dns-server 192.168.10.250 8.8.8.8
dns-server 10.127.225.129 8.8.8.8

 

ip dhcp excluded-address 10.127.225.129 10.127.225.140

ip access-list extended ACLFORNAT
permit ip 10.127.225.128 0.0.0.127 any





kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Georg Pauwen
VIP Expert

Hello,

 

not sure if it makes a difference but try and just use the Google DNS servers in your DHCP pool. Also try and just use an overload statement for the NAT instead of the pool (changes marked in bold).

Also, what is the IP SLA for, as it doesn't seem to be applied to anything ?

 

service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no platform punt-keepalive disable-kernel-core
!
hostname ***
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging count
logging buffered 100000
logging console informational
enable secret ***
!
no aaa new-model
clock timezone AZE 4 0
!
ip name-server 8.8.8.8
!
ip domain name <our local domain name>
ip dhcp excluded-address 10.127.225.130 10.127.225.140
!
ip dhcp pool DATA
network 10.127.225.128 255.255.255.128
default-router 10.127.225.129
dns-server 8.8.8.8 8.8.4.4 
lease 2
!
subscriber templating
!
multilink bundle-name authenticated
!
password encryption aes
!
archive
log config
logging enable
notify syslog contenttype plaintext
!
spanning-tree extend system-id
!
username *** privilege 15 secret ***
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
track 1 ip sla 10 reachability
default-state up
!
crypto isakmp policy ***
encr ***
authentication pre-share
group ***
crypto isakmp key *** address <office peer ip>
!
crypto ipsec transform-set *** *** ***
mode tunnel
crypto ipsec fragmentation after-encryption
!
crypto map *** *** ipsec-isakmp
set peer ***
set transform-set ***
match address <ACL_FOR_SITETOSITE>
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.50
description MANAGEMENT
encapsulation dot1Q 50
ip address 1.1.1.1 255.255.255.0
no ip proxy-arp
ip nat inside
!
interface GigabitEthernet0/0/0.100
description DATA
encapsulation dot1Q 100
ip address 10.127.225.129 255.255.255.128
ip nat inside
!
interface GigabitEthernet0/0/1
ip address <PUBLIC IP>
ip nat outside
negotiation auto
no cdp enable
crypto map ***
!
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
no ip nat service netbios-ns tcp
no ip nat service netbios-ns udp
no ip nat service netbios-ssn
no ip nat service netbios-dgm
no ip nat service ldap
ip nat inside source list ACLFORNAT interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 <PUBLICIPGATEWAY>
ip ssh port *** rotary *
!
!
ip access-list extended ACLFORNAT
<here I denied statements in ACL_FOR_SITETOSITE and permit everything else>
permit ip 10.127.225.0 0.0.0.255 any
ip access-list extended ACL_FOR_SITETOSITE
***
<here I permit local subnet which should see each other>
ip access-list extended ACLFORSSH
***
!
ip sla 10
icmp-echo *** source-interface GigabitEthernet0/0/0.50
frequency 120
timeout 120000
threshold 12000
ip sla schedule 10 life forever start-time now
!
logging source-interface GigabitEthernet0/0/0.50
logging host 192.168.10.151
access-list 2 permit ****
!
snmp-server community ***
snmp-server enable traps
snmp-server host *** version ***
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
banner login ^CCCCCCC
--- -------------------------------------------- ---
--- UNAUTHORISED ACCESS IS PROHIBITED ---
--- -------------------------------------------- ---
^C
!
line con 0
stopbits 1
line aux 0
no activation-character
no exec
transport preferred none
transport output none
stopbits 1
line vty 0 4
access-class <ACLFORSSH> in
exec-timeout 5 0
logging synchronous
login local
rotary *
length 0
transport input ssh
line vty 5 15
access-class <ACLFORSSH> in
exec-timeout 5 0
logging synchronous
login local
rotary *
transport input ssh
!
ntp server 192.168.10.250
!
end

The title of the post clearly identifies this as an issue about DNS. But as I read the original post I am not sure that this is correct. I am especially interested in this part of the post

Ping to isp, ping to google.com and etc works fine. It resolves google, but browsers don't open any page

 

If I am reading it correctly it is saying that in fact DNS resolution is working but browsers do not open pages. I have seen this symptoms before, especially when IPSec vpn is being used. And the problem frequently turns out to be related to packet size and fragmentation. The way that I have frequently solved this is to use ip tcp adjust-mss to specify a smaller frame size.

 

This link is to an interesting article about frame size and fragmentation problems, which discusses the causes and suggests several ways that it can be addressed. I hope you find it helpful.

https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

 

HTH

 

Rick

HTH

Rick

Paul,

I made like you said. I'll check it tomorrow. 192.168.10.250 isn't only ntp server, It's also our local dns server. I changed them as you said.

 

Georg, sla is for site-to-site connection. It just sends pings to destination address, which I commented here. I changed nat as you said, hope it will help.

 

Richard, I've applied ip tcp adjust-mss 1460 to gi interface, which is looking to ISP side, but it doesn't really helped. Browsers still don't open any page.

 

Thank you all, I'll test again everything you advised to me. Hope it'll help.

Thanks for the update. Sorry that adjust-mss did not provide a solution to your issue. Can you verify whether the main issue here is DNS resolution or is something else?

 

HTH

 

Rick

HTH

Rick

I made changes, which Georg and Paul adviced and now everything is working. I'll test once more to see which one of them was the issue. Thank you all one more time!