cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9490
Views
0
Helpful
11
Replies

Cisco Anyconnect DNS client registration and domain lookup.

mustbe9to50char
Level 1
Level 1

Hi All,

I am working on an issue with our network team (I'm an AD guy) and was wondering if I could get some guidance here.

We are using anyconnect vpn client version 3.0.0857 and our clients aren't registering in DNS automatically nor manually using ipconfig /registerdns. All client machines on the lan are registering fine.

The error in the traces suggest that the domain name cannot be found although all other domain functionality works. What I've noticed is the vpn policy pushed down two dns servers and we seem to be forced to use only the two in the policy. Ex. "nslookup domain" works and "nslookup domain alternatednsserver" does not. When specifiying an alternate dns server not branded to the cisco nic we'll get a non-existent domain error.

So two questions:

Should nslookup domain.com alternatednsserverip(not in vpnpolicy) work?

and

The clients are all dhcp from an asa? device. Should the device register the names of these clients in dns or the client registers directly with the dns servers?

Thanks,

Dan

11 Replies 11

mustbe9to50char
Level 1
Level 1

Can anyone try this for me on Windows 7?

'Nslookup yourdomain alternatednsserverip'   Where alternate dns server is not one bound to your anyconnect nic.

Dan

We are not using split tunneling and what we've recently figured out is windows 7 clients are not permitted to use any dns servers other than the ones listed in the policy whereas windows xp machines can. If you specify the dns server to use in nslookup no traffic whatsoever is initiated from the client.

On the network howerver makes no difference.

Dan

JeromeTechie1
Level 1
Level 1

It can come from several settings but my first shot would be in split tunneling settings

Group Policy > Advanced > Split tunneling

In DNS name uncheck inherit and specify the DNS name(s) for which the client should tunnel requests

also make sure the DNS servers are configured within the same group policy

another way of testing this is replacing the dns servers assigned to the nic by the vpn policy with others. No queries will work at all.

what I'm trying to figure out is why the policy is restricting dns traffic to only the dns servers defined.

AnyConnect should act as a virtual NIC with its own IP and own DNS server configuration.

How do you assign IP address through a Pool on the ASA or through an internal DHCP server?

Can you at least ping your dns servers from your AnyConnect client?

So when your client are using VPNs they use full tunneling? If yes and your group policy is set to inherit enforce it by configuring it.

Also check if your ASA can do some DNS lookup on your LAN

we can ping, we can telnet on 53. We assign ip's from a pool on the asa's. All dns queries work however during a dynamic dns update we can't use any dns servers other than the ones specified. here is what is happening, dns server configured issues a soa response for the domain queried and then communication between the dns server handed out in the response and the client fails.

That is if the dns server returned is other than what is configured in the policy. We have over 60 dns servers authoritative for the zone and two of them specified in the policy.

I assume you push IP address on your lan Through DHCP and they get their DNS through DHCP options. I think you should try configuring an address pool on your DHCP server for your VPN clients and assign the options this way. The ASA allows you to use a DHCP server to hand over IP address and ofc options that goes with it.

I never did it but you can find options for it within the connection profile setup

Configuration > Remote Access VPN > Network Client access > AnyConnect connection profiles > Edit > Basic

On client address assignment enter the Ip address of your DHCP servers

At this point You got 3 options None DHCP link or DHCP subnet. I would defo give a shot at DHCP subnet.

Let me know if that fixes it

PS: make sure to disable your DNS entries on the ASA Connection profile and Group policy to avoid conflicts and be certain that the DHCP server does its magic.

Hopefully I understood what you wanted properly

We are getting rid of our dhcp servers so I'm not able to do this.

Did you by chance try the nslookup command? I am having trouble verifying if it should work or not.

I cant use NS lookup in your scenario atm sorry. You are migrating to IPv6 Stateless Auto Configuration ?

Hi Dan,

Have you resolved the issue? I'm having the same issue here. Would appreciate your feedback.

Thanks,

Tao

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: