Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter

4585
Views
0
Helpful
7
Replies
Highlighted
CCMADM1N1_2
Beginner
Beginner
‎07-30-2012 10:02 AM
‎07-30-2012 10:02 AM

SA540 VPN Tunnel - No internet access or local DNS resolution

Searching the forum, I have seen the "no internet when connected via full-tunnel to SA540 with Cisco VPN Client" (and even with SSL VPN Client) scenario/issue raised multiple times here in the past 6-12 months, but nobody has yet to post a "fixed" or "solved" acknowledgement

All the responses have been "just use split tunnel"  which is not a solution or even a workaround for someone who requires full tunnel specifically like I do

I have a simple Cisco VPN client capable IPSEC tunnel created using the VPN wizard on the SA540.

--I am setup for full-tunnel mode

--I can connect to my SA540 / remote site and authenticate just fine

--I can reach devices on my LAN (by IP address ONLY) while connected to the VPN

Problems:

--I have no name resolution capabilities on my LAN while connected to the VPN (I had name resolution when using a cheap consumer grade router that the SA540 replaced - no other/no dedicated DNS server onsite, only the router acting as local DNS server)

--I have no internet access while connected to the VPN

--I have tried every combination of VPN DHCP scope provided DNS servers - but no change in regards to internet access or Local LAN DNS resolution behavior when connected the tunnel

I am running the newest version of firmware code - 2.1.71 I believe from meory (but i verfied it is still the newest on Cisco.com)

Using the built-in UC560 EZ-VPN-Client at this and other locations, full-tunnel far-end/remote internet access works fine

So this issue seems isolated to the SA540 itself

For local DNS resolution, I am not sure if the expected behavior is that the SA540 can resolve local DNS machine names (Please advise)

But obviosuly full-tunnel internet access shoud work, which is the priority here for me. The local DNS resolution via the SA540 is a great to have.

--Can anyone at Cisco acknowledge this is a known bug / issue, and when I can expect a fix?

--Or is there anyone here that can confirm they have successfully created a Full-Tunnel with working internet using SSA540 + Cisco VPN client 9and if so, what version of code are you using?)

Thanks

Mike

Labels:
1 person had this problem
0 Helpful
Reply
7 REPLIES 7
Highlighted
CCMADM1N1_2
Beginner
Beginner
‎07-30-2012 10:19 AM
‎07-30-2012 10:19 AM

just to be clear when I say "local LAN" or "Local DNS" I am always referring to the LAN at the remote/far end (the site that the SA540 is located at)

I am connecting via Full-tunnel so I want ALL traffic to go into the tunnel - and I want both internet access and DNS-capable LAN access at the remote site where the SA540 is located - so i will have the same access/experience as if I was a user at the remote site physically

I dont want or need LAN or internet access where I am physically located with my VPN client - (if I did, I would have created a split tunnel!)

Thanks

0 Helpful
Reply
Highlighted
Tom Watts
Advocate
Advocate
‎07-30-2012 10:55 AM
‎07-30-2012 10:55 AM

Hi CCMAADM1N1,

To fix the DNS issue, you need to delete the existing VPN policies then do the following;

Navigate to VPN -> IPSEC ->DYNAMIC IP RANGE.

Set the mode to full tunnel, specify the optional DNS fields and or WINS server

Then recreate the policies to use with the Cisco 5.x client.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful
Reply
Highlighted
CCMADM1N1_2
Beginner
Beginner
‎08-01-2012 08:46 PM
‎08-01-2012 08:46 PM

Thanks -

Sent from Cisco Technical Support iPhone App

0 Helpful
Reply
Highlighted
CCMADM1N1_2
Beginner
Beginner
‎08-01-2012 09:05 PM
‎08-01-2012 09:05 PM

Thanks - I suspected a reboot would fix the internet access (it did) since I made change sto the VPN DHCP SCOPE (changed DNS servers) after creating the policies (SA is a

nice device but requires reboot after most network related changes, not the most convenient but bearable if things work in the end)

But unfortunately even after delete/rebuild/reboot I cannot resolve DNS on the remote LAN while connected to full tunnel ipsec VPN

Does the SA540 have the capability/logic to handle the local DNS resolution for clients connected via VPN CLIENT from outside ? Doesn't seem so ..

The Same devices resolve DNS just fine when connected locally to the LAN so we know it works - just not working when same devices are connected via Cisco VPN Client from outside

Im thinking of rolling back 1 firmware release, and testing again - I could swear this worked/works on some older installs that I have not had the need or chance to upgrade since 2.1.51 i believe

Sent from Cisco Technical Support iPhone App

0 Helpful
Reply
Highlighted
Tom Watts
Advocate
Advocate
In response to CCMADM1N1_2
‎08-01-2012 09:29 PM
‎08-01-2012 09:29 PM

Hi CCMA,

Yes the local resolution does work. Typically it should be configured as mentioned above. I'm not sure why it wouldn't.

You can also call to create a service request if the router has entitlement for support.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful
Reply
Highlighted
travisbugh
Enthusiast
Enthusiast
‎07-04-2013 09:46 AM
‎07-04-2013 09:46 AM

I got a SA540 and I am having the same exact problem, cisco vpn 5 client, everything seems to work except the DNS resolution. Did you ever get this to work CCADM1N1?

0 Helpful
Reply
Highlighted
Dataprocess
Beginner
Beginner
In response to travisbugh
‎02-02-2014 01:22 AM
‎02-02-2014 01:22 AM

Me too.

Pietro

0 Helpful
Reply
Latest Contents
Special offer - Cisco Designed Secure Remote Work
Created by Kelli Glass on 02-18-2021 10:22 AM
0
0
0
0
Cisco Designed Secure Remote Work helps you work more productively and securely whatever your location. Worry less and work smarter with enterprise-grade, cloud-based collaboration and security together in one package that's easy to purchase, deploy,... view more
Small business resilience and recovery roundtable
Created by Kelli Glass on 01-28-2021 02:24 PM
0
0
0
0
On Tuesday, February 2nd, you can join a great discussion with an industry analyst, Will Townsend, our partner- Port53,  and our customer -Cheetah Technologies. We’re helping small businesses assess where they are on their digital journey and wh... view more
Let's talk about small business resilience and recovery
Created by Kelli Glass on 01-28-2021 02:18 PM
0
0
0
0
On Tuesday, February 2nd, you can join a great discussion with an industry analyst, Will Townsend, our partner- Port53,  and our customer -Cheetah Technologies. We’re helping small businesses assess where they are on their digital journey and where t... view more
#CiscoChat Live: Small businesses deserve big security prote...
Created by Kelli Glass on 01-19-2021 05:22 PM
0
0
0
0
Join us live on Thursday, January 21 at 10 am PT (and on demand after) as Kate MacLean, head of product marketing for Cisco Umbrella, moderates a discussion about cybersecurity for small businesses. We’ll talk about the specific cyberthreats facing s... view more
#CiscoChat Live: Small businesses deserve big security prote...
Created by Kelli Glass on 01-19-2021 05:19 PM
2
0
2
0
Join us live on Thursday, January 21 at 10 am PT (and on demand after) as Kate MacLean, head of product marketing for Cisco Umbrella, moderates a discussion about cybersecurity for small businesses. We’ll talk about the specific cyberthreats facing s... view more
This widget could not be displayed.