Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
2
Replies

New ASA deployment AnyConnect clients cannot access internal DNS

rgnelson
Level 1
Level 1

‎02-01-2019 07:52 AM - edited ‎02-21-2020 09:33 PM

Connected AnyConnect clients are sending the DNS queries to their physical interface address DNS servers, not the internal DNS via the tunnel. 


Anyconnect Client shows the DNS servers as secured route. 

Clients can successfully ping to dns servers across the tunnel. 

 

SPLITTUNNEL-ACL is a standard access list with the 172.16.0.0/12 private space

NAT statement is the same 172.16.0.0/12 internal to the ASA IP Pool of the client. 

Other than DNS, the AnyConnect is fully functional. 

 

Group Policy: 

group-policy <name> attributes
dns-server value internaldns1 internaldns2
vpn-idle-timeout 60
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL-ACL
default-domain value <userdomain>
split-dns value externaldomain <userdomain> <userdomain2> <userdomain3>
webvpn
anyconnect ssl dtls enable
url-entry enable

 

I am kind of at a loss, it has to be something easy, but I'm not seeing it. I've tested multiple client types, so this isn't a host issue. 

ASA Version: 9.10.x

AnyConnect: 4.7.00136

 

Labels:
0 Helpful
2 Replies 2

rgnelson
Level 1
Level 1

‎02-01-2019 09:33 AM

I figured out the cause. We are also rolling out Umbrella, basic configuration for dnscrypt and system tagging was done on the policy map: preset_dns_map. I'm guessing it was intercepting the DNS requests and sending them to Umbrella...  I pulled the preset_dns_map out of the inspect list, and whatdoyouknow, proper resolution on the client. 

 

I'll have to read more about how internal vs. external lookups are supposed to work when umbrella is attached. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-01-2019 12:45 PM

look at the below document will help you.

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html

 

 

please advise if not.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents