Solved: Re: AC NVM and static IP addresses

crbrown68 · ‎10-15-2016

Hi,

I am doing some development work with the intention of rolling out the NVM on our network. All has been going well, however I have hit an issue that I have yet to be able to resolve. When the client machines connect to our wired network via DHCP the AC client recognises that it is on a trusted network and transfers data. However several machines on the network have statically assigned IP addresses and on these, the AC client does not recognise that it is on a trusted network. In the AC client under VPN message history it only displays "ready to connect". I have confirmed that all parameters are identical between the two scenarios and have even statically assigned all the peripheral parameters. However as soon as I assign a static IP it no longer recognises the network as trusted. I can get around this by statically assigning an IP address via DHCP, but would rather keep it simplified if possible. Any assistance would be appreciated.

pcarco · ‎11-02-2016

Hello Rob,

As discussed and worked offline. Statically configuring both the DNS servers and the DNS suffix in addition to the IP address solves the issue and TND is now currently working correctly and NVM traffic is being sent to your collector.

Best regards,

Paul

View solution in original post

pcarco · ‎10-18-2016

Hello Rob,

Without seeing the AnyConnect VPN Profile I am wondering if this subset of users with statically assigned IP addresses do not have the same Trusted DNS servers as configured in the profile under Preferences (Part 2) as the DHCP assigned users. I assume they do have the correct 'Trusted DNS Domains'.

When configuring the 'Trusted DNS Servers' it is best practice to include all Trusted DNS servers

Trusted DNS Domains—DNS suffixes (a string separated by commas) that a network interface may have when the client is in the trusted network. For example: *.cisco.com. Wildcards (*) are supported for DNS suffixes.
Trusted DNS Servers—DNS server addresses (a string separated by commas) that a network interface may have when the client is in the trusted network.  For example: 192.168.1.2, 2001:DB8::1. Wildcards (*) are supported for DNS server addresses.

Best regards,

Paul

crbrown68 · ‎10-18-2016

Hi Paul,

Thanks for the reply. With regards the trusted DNS servers and Domains, they are identical for both scenarios of DHCP and Static addressing. That was the first area that I looked at. With my testing I even statically assigned the DNS servers and Domain suffix whilst using a DHCP address and that still worked. When looking at the IP configuration of both scenarios on the same machine they are identical, other than the fact that one had the address applied via DHCP (used the same IP address even).

Thanks,

Rob

pcarco · ‎10-19-2016

Hello Rob,

Ok, lets do some additional troubleshooting.

1.) You have probably done this but ensure you can ping the IPFIX Collector that is configured in the NMV profile from the problematic machine.

2.) On the machine with the static IP and not operating correctly - open up a command prompt to

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\NVM> and take a look at this directory and look at the 'NVM.db' if you are collecting data but not exporting it while generating traffic this db should increase in size since it it caching the data until it can export on the trusted network. Please let me know what you see here

3.) Do the users assigned an IP by DHCP and the Statically assigned users have the same and identical AnyConnect VPN profile and NVM profile ? If you could email both profiles to pcarco@cisco.com I would like to take a look. Also run the DART tool on the affected machine and include that and I can check the logs out .for you.

Best regards,

Paul

crbrown68 · ‎10-19-2016

Hi Paul,

Thanks for your time again. In answer to your queries, when utilising a static IP, I can ping the collector and the NVM.db file does grow in size. To clarify I am replicating and testing this issue on one of my test laptops, so the same laptop, AC client, profiles and user (administrative) are being used for both scenarios, I’m just switching between DHCP and static addressing.

I am using ver 4.3.02039 of the client, with the VPN, NAM and NVM modules installed. We have been utilising the VPN and NAM modules for quite some time now.

I have emailed you the DART bundle file, which is inclusive of all the profiles I am utilising.

Thanks,

Rob

pcarco · ‎11-02-2016

Hello Rob,

As discussed and worked offline. Statically configuring both the DNS servers and the DNS suffix in addition to the IP address solves the issue and TND is now currently working correctly and NVM traffic is being sent to your collector.

Best regards,

Paul

crbrown68 · ‎11-03-2016

Hi Paul,

Thanks for your time and assistance with this issue, it's been greatly appreciated. I can confirm that the problem is now resolved.

To elaborate a little further on what Paul has said, the client was not seeing itself on a trusted network because it could not see a DNS suffix for that particular network connection. Looking at the IP configuration of the machine the computer had the correct DNS servers and correct DNS suffix for the computer, which was however misleading. To resolve the problem a DNS suffix had to be statically assigned to the actual connection. This is done on the DNS tab within advanced properties of the network card's IP V4 properties. A static DNS suffix is entered at "DNS Suffix for this connection:"

Thanks again for your assistance Paul

Regards,

Rob

pcarco · ‎11-07-2016

You are very welcome and we appreciate your adding the details for others to see.

Best of luck and if you need anything else let us know

Best regards,

Paul