cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

2546
Views
0
Helpful
5
Replies
andrew.vint
Beginner

SA520 Client VPN not getting DNS address

Hi All,

I have a Cisco SA520 which has been setup to provide Client Access via the Cisco VPN Client 5.x

I can connect and authenticate no problem (After several hours of playing with Windows RADIUS)

However when i connect i dont seem to get a full range of IP settings

---------------------

Ethernet adapter Cisco VPN Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Windows
Physical Address. . . . . . . . . : 00-05-9A-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.12.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled

---------------------

Specifically i dont get a DNS address which means i can ping all the servers on the remote lan by IP address but am unable to ping by name.

This will cause all sorts of problems as the services need to access the DNS server.

Why cant i specify this information in the SA520.

Windows is providing my DHCP service BTW

Thanks in advance

Andrew Vint

2 ACCEPTED SOLUTIONS

Accepted Solutions
nmanglik
Cisco Employee

Hi Andrew,

Can you please provide the SA500 firmware version that you are currently using? If it is 2.1.18 then there was a limitation that would use only IP address instead of FQDN.

We have released 2.1.45 on Cisco Support Community and with this image you can have access remote LAN resources both by IP and FQDN. To obtain the SA500 MR4 Release Candidate firmware, please send an e-mail to sa500-mr4@cisco.com and include your Cisco.com User ID in the subject line of the email.

Thanks,

Nitin

View solution in original post

Hi Andrew,

Thank you for the feedback. I am hoping your Cisco VPN limitations on firmware 2.1.18 are resolved with 2.1.45.

For multiple VLANs to communicate over the same IPSec tunnel (site to site), you can add multiple VPN Policies for each VLAN and associate them the same IKE Policies.

After you have created the VPN Policy using the default VLAN, go to VPN Policies and click Add. Under Local Traffic Selection, add the Local Subnet you would like to communicate with the remote site. Then associate the newly created VPN Policy to IKE Policy (Select IKE Policy).

For each VLAN subnet, there will be one VPN Policy.

Regarding better CCA support to SA500, I will communicate this to Product Management team.

Thanks,

Nitin.

View solution in original post

5 REPLIES 5
nmanglik
Cisco Employee

Hi Andrew,

Can you please provide the SA500 firmware version that you are currently using? If it is 2.1.18 then there was a limitation that would use only IP address instead of FQDN.

We have released 2.1.45 on Cisco Support Community and with this image you can have access remote LAN resources both by IP and FQDN. To obtain the SA500 MR4 Release Candidate firmware, please send an e-mail to sa500-mr4@cisco.com and include your Cisco.com User ID in the subject line of the email.

Thanks,

Nitin

View solution in original post

Hi Nitin,

Thank you so much for this info .... i am hopingit resolves my issue on what i feel to be a very solid product.

It is just missing a few things to make it best in class.

- The first thing was the DNS use in the VPN's

- Second is the Inter Vlan routing from remote locations (Site 2 Site VPNs) to all the local VLANs

- Finally it would be great if CCA could control the device better specifically around the creation of Vlans between UCxx and ESWxx.

All in all good work

Thanks again

Hi Andrew,

Thank you for the feedback. I am hoping your Cisco VPN limitations on firmware 2.1.18 are resolved with 2.1.45.

For multiple VLANs to communicate over the same IPSec tunnel (site to site), you can add multiple VPN Policies for each VLAN and associate them the same IKE Policies.

After you have created the VPN Policy using the default VLAN, go to VPN Policies and click Add. Under Local Traffic Selection, add the Local Subnet you would like to communicate with the remote site. Then associate the newly created VPN Policy to IKE Policy (Select IKE Policy).

For each VLAN subnet, there will be one VPN Policy.

Regarding better CCA support to SA500, I will communicate this to Product Management team.

Thanks,

Nitin.

View solution in original post

Thank You for getting back to me...

I am glad to say that since using this new firmware my Cisco VPN Client connects and is now issued with the new details as provided and i can sucesfully reach my Windows network and servers by name.

One thing of note though, i performed an upgrade from FW 2.1.18 and it transferred everything acrosss which was great, but to get the Cisco VPN client to pick up the new settings from the Dynamic IP range i had to disable and remove the VPN and IKE policy for remote access and recreate it.

Not a major task but one that people may need to bear in mind to avoid the confusion i had when getting issued with the old IP range after the upgrade.

....

There is however one issue i have left and i need to know if it can be resolved.

I have a UC560 sitting behind this SA520, to which a static route has been added back to to the Dynamic IP Range. When connected i can ping the interface on Vlan1 no problem.

However i cannot reach the Voice Vlan or indeed the Vlan90 where the CUE sits.

This as a result is causing IP Communicator and the Cisco Smart Call Connector to fail to connect.

Is there any way to resolve this issue, If i need to raise with TAC i will as i have a support contract in place, but so far you have provided much more valid help to date.

Thanks again

Andrew

Hi Andrew,

I am glad to hear that the new firmware has helped you.

For the Dynamic IP Range issue, you don't need to delete and re-create the IKE and VPN policy - disabling and enabling the IKE and VPN Policy would have helped too.

On the UC560 issue, we have tried this scenario in our labs and it is working. We were able to register Cisco IP communicator over VPN tunnel to UC560 (through SA500). Can you please confirm if you used CCA to configure UC560?

Thanks,

Nitin.