Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8043
Views
0
Helpful
6
Replies

ASA Split Tunnel FQDN Problem

asammut92
Level 1
Level 1

‎08-05-2013 12:13 AM

Hi all,

I was wondering if someone could shed some light on our problem... We have a ASA5525 configured to allow VPN clients (via the AnyConnect client v3.1.01065) access to certain ip addresses using split tunneling. Now this works perfectly, however when ever a user (in the localdomain.com domain) tries to resolve/ping a FQDN in their local domain (e.g server1.localdomain.com) they get a "Host not found" error. However resolving/pinging just the hostname (server1) works! 

I have tried playing around with the settings under Group Policy > Advanced > Split Tunneling in the ASDM (v 6.6) but can't seem to get the FQDN to resolve. I was just wondering if anyone knows what setting is needed to allow vpn users to resolve local FQDN whilst connected to our VPN?

Just a recap:

User can ping extserver1.remotedomain.com (Remote Server - looking at it from the clients perspective)

User can ping extserver (Remote Server - looking at it from the clients perspective)

User cannot ping server1.localdomain.com (Local Server - looking at it from the clients perspective)

User can ping server1 (Local Server - looking at it from the clients perspective)

All IP traffic works as expected!

Any help will be greatly appriciated!

Thanks,

Adam

Labels:
0 Helpful
6 Replies 6

Marius Gunnerud
VIP
VIP

‎08-05-2013 02:57 AM

How is the user trying to resolve the server1.localdomain.com FQDN?   If you issue the nslookup server1.localdomain.com command at a command prompt on a windows machine, what is the result?

Which DNS server are the users using when connected to the VPN?

I am wondering if server1.localdomain.com returns a public IP which is connected to the local router or ASA and is being dropped due to implicit security policies.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

asammut92
Level 1
Level 1
In response to Marius Gunnerud

‎08-05-2013 04:43 PM

Well I have been trying to just use ping to diagnose the problem. However anything on the local client machine that uses a local FQDN (file shares, printing, intranet etc) does not work. Don't forget that everything remote wether it is a hostname or FQDN works, as does local hostnames which goes to show that the local DNS server is coming in somewhere...

Here are the results of NSLookup:

BEFORE VPN CONNECTION

nslookup server1.localdomain.com

Server: LOCAL DNS SERVER FQDN

Address 172.16.1.xxx (Clients DNS Server Address)

Name: server1.localdomain.com

Address: 172.16.1.xxx (Server1's IP Address)

AFTER VPN CONNECTION

nslookup server1.localdomain.com

Server: VPN DNS FQDN

Address 172.16.30.xxx (VPN DNS Server Address)

*** VPN DNS FQDN can't find server1.localdomain.com: Non-existent domain

This is the problem... The VPN is telling windows to tunnel all DNS queries and ask them to be resolved by the remote DNS server not the local one... It was my understanding that this type of thing can be restricted by adding the "split-dns remotedomain.com" command which will only tunnel "remotedomain.com" queries correct?

Is there a setting i need on the ASA or AnyConnect client that will allow this type of thing to happen?

0 Helpful

Marius Gunnerud
VIP
VIP
In response to asammut92

‎08-05-2013 11:59 PM

Your assumption is correct regarding the split-dns.

Have you enabled "Enable Local LAN Access (if configured)" option in AnyConnect?

Could you post a full configuration of your ASA? change all public IPs and domains please

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

asammut92
Level 1
Level 1
In response to Marius Gunnerud

‎08-07-2013 12:34 AM

Yes i have tried the "Enable Local LAN Access (if configured)" option in AnyConnect with no luck. I was reading here https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml#dsfg that the "Enable Local LAN Access" option is only if you use the "Exclude Network List Below"... Please feel free to correct me if I'm wrong...

Here is the relevant config...

access-list split-tunneling remark MEM Server
access-list split-tunneling standard permit host 192.168.1.34
access-list split-tunneling remark DNS Server
access-list split-tunneling standard permit host 172.16.30.10
access-list split-tunneling remark APPSSERVER
access-list split-tunneling standard permit host 172.16.30.31
access-list split-tunneling remark SQL
access-list split-tunneling standard permit host 192.168.1.11
access-list split-tunneling remark Phone System
access-list split-tunneling standard permit host 192.168.3.18

aaa-server SR protocol radius
max-failed-attempts 5
aaa-server SR (Inside_new) host 172.16.30.10
key ****

group-policy GroupPolicy_S_TEST internal
group-policy GroupPolicy_S_TEST attributes
wins-server value 172.16.30.10 172.16.30.11
dns-server value 172.16.30.10 172.16.30.11
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunneling
default-domain value remotedomain.com
split-dns value remotedomain.com
split-tunnel-all-dns disable
msie-proxy method no-modify
webvpn

tunnel-group TEST1 type remote-access
tunnel-group TEST1 general-attributes
address-pool AnyConnect_pool
authentication-server-group SR
default-group-policy GroupPolicy_S_TEST
tunnel-group TEST1 webvpn-attributes
group-alias TEST1 enable

I really appreciate your help! Thanks heaps!

      

0 Helpful

Marius Gunnerud
VIP
VIP
In response to asammut92

‎08-07-2013 01:31 AM

If you enter split-dns value none does the FQDN resolve correctly?

If it does, and you add split-dns value remotedomain.com does it now resolve correctly also?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

asammut92
Level 1
Level 1
In response to Marius Gunnerud

‎08-07-2013 05:37 PM

No it makes no difference either way... Both NSLookup and Ping report the same errors as above, i have tried "Enabling Local Access..." on the AnyConnect client as well with no luck... Here is a dump of ipconfig /all with both configurations:

split-dns value none

C:\Users\administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : CLIENTNAME
   Primary Dns Suffix  . . . . . . . : localdomain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : remotedomain.com
                                       none
                                       localdomain.com
                                       .com
                                      

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : remotedomain.com
   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client V
irtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5532:3a5d:7c03:c6f5%13(Preferred)
   Link-local IPv6 Address . . . . . : fe80::88d7:ad44:7a69:53f1%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.50.39(Preferred) < ASA ClientIPPool
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 301991322
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7A-87-1C-00-15-5D-01-0B-68

   DNS Servers . . . . . . . . . . . : 172.16.30.10 < REMOTE DNS SERVER
                                       172.16.30.11 < REMOTE DNS SERVER
   Primary WINS Server . . . . . . . : 172.16.30.10 < REMOTE DNS SERVER
   Secondary WINS Server . . . . . . : 172.16.30.11 < REMOTE DNS SERVER
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : localdomain.com
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter
   Physical Address. . . . . . . . . : 00-15-5D-01-0B-68
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4114:47c3:b707:f0b4%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.16.1.1(Preferred) < Local IP Address
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, 7 August 2013 3:17:31 AM
   Lease Expires . . . . . . . . . . : Thursday, 15 August 2013 3:17:32 AM
   Default Gateway . . . . . . . . . : 172.16.1.254 < Local Gateway
   DHCP Server . . . . . . . . . . . : 172.16.1.203 < Local DHCP Server
   DHCPv6 IAID . . . . . . . . . . . : 234886493
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7A-87-1C-00-15-5D-01-0B-68

   DNS Servers . . . . . . . . . . . : 172.16.1.221 < Local DNS Server
                                       172.16.1.203 < Local DNS Server
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.localdomain.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.remotedomain.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : remotedomain.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

   

split-dns value remotedomain.com

C:\Users\administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : CLIENTNAME
   Primary Dns Suffix  . . . . . . . : localdomain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : remotedomain.com
                                       remotedomain.com
                                       localdomain.com
                                       .com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : remotedomain.com
   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client V
irtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6d36:da82:8fed:8b5e%13(Preferred)
   Link-local IPv6 Address . . . . . : fe80::88d7:ad44:7a69:53f1%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.50.39(Preferred) < ASA ClientIPPool
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 301991322
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7A-87-1C-00-15-5D-01-0B-68

   DNS Servers . . . . . . . . . . . : 172.16.30.10 < Remote DNS Server
                                       172.16.30.11 < Remote DNS Server
   Primary WINS Server . . . . . . . : 172.16.30.10 < Remote DNS Server
   Secondary WINS Server . . . . . . : 172.16.30.11 < Remote DNS Server
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : localdomain.com
   Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter
   Physical Address. . . . . . . . . : 00-15-5D-01-0B-68
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4114:47c3:b707:f0b4%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.16.1.1(Preferred) < Local IP Address
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, 7 August 2013 3:17:31 AM
   Lease Expires . . . . . . . . . . : Thursday, 15 August 2013 3:17:32 AM
   Default Gateway . . . . . . . . . : 172.16.1.254 < Local Gateway
   DHCP Server . . . . . . . . . . . : 172.16.1.203 < Local DHCP Server
   DHCPv6 IAID . . . . . . . . . . . : 234886493
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7A-87-1C-00-15-5D-01-0B-68

   DNS Servers . . . . . . . . . . . : 172.16.1.221 < Local DNS Server
                                       172.16.1.203 < Local DNS Server
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.localdomain.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.remotedomain.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : remotedomain.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 

Just confirming that when i say localdomain.com i am reffering to the clients domain, and when i say remotedomain.com i am reffering our domain that the client is remoting into...

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents