Wanted to share a issue I have been working on with the new release of iOS6. Not looking to get configuration support, just sharing the observations.
My issue is Anyconnect clients that are on iOS6 fail to use Internal DNS servers. After a few hours of testing, I have come to the point that I feel the issue is in the client OS. The end user affect is that if you have a SSL session established the end client can not resolve internal DNS address. Input of the IP directly works, and captures from the ASA show the Client asking and getting a response from the correct DNS server.
Downgrade from iOS6 to lower version the problem goes away. Upgrade back to iOS6 the problem returns.
Affected testing versions.
Anyconnect Client 2.5.5130
Apple iOS5.4 and iOS6.
Same issue here. You should also try testing with "Scany" from the iTunes store. I can ping hosts by name in "Scany". However can not contact hosts through iOS 6 via FQDN. We are using Anyconnect to secure connecting to our Lotus Domino servers for email.
In all my testing the tunnel was configured with split tunneling. I opened a support case with Cisco to confirm that I did not have some issue. After a about half an hour the engineer asked if I could test with an iOS device without version 6. As it worked he was satisfied that the configuration was sound. Suggested I not use iOS6 devices. This is problematic, as last I checked there was no down grade for my new executive type folks with there shinny new iPhone5's to iOS 5ish.
I will say that as far as I have tested, this indeed looks to be an issue with Apple's first release of 6. I hope that after a few weeks that a fix will be realized via an iOS update.
My plan B is to give the boss types my iPhone4 and just not VPN with my shinny new iPhone5!...it could happen......
In my case this only happens when I am connected to the cell carrier network which is Verizon in my case, either on my iPad 2 or iPhone 5 with iOS 6. When I am connected via wifi the vpn is fine. Also note that sometimes the vpn works just fine on Verizon, almost like it depends on what cell tower I am connected too, the tower next to work doesnt work, the one next to my home works fine most of the time.. Its a very strange problem. I have also noticed that Verizon hands out the wrong subnet mask of 255.255.255.255 on the carriers ip scheme. If you go into the Anyconnect app, under Diagnostics, then system info. My "Cellular Data" looks like this. IPv4 Address 10.184.19x.xx IPv4 Subnet mask 255.255.255.255... DNS servers are my internal ones of 10.3.3.xx and 10.3.3.xx..
Then if I goto http://www.ipchicken.com to check what my external ip is, it's completely different. My external ip is 70.194.13x.xxx
I am also using split tunneling too. Also note that this only affects data that is using the iOS 6 interface, meaning I can use the "Scany" app to ping clients through the VPN just fine. DNS works in that application. So I am assuming that application is using it's own interface? and not relying on the iOS 6 interface? Again very strange problem to have and diagnose the issue.
Message was edited by: Aaron Tyson
For me the iOS6 and the lates AC for iOS has been working mostly fine. Mostly because with the test profile I have been using I noticed some strange behavior caused by the fact how the iOS6 checks the network connectivity,
http://appleinsider.com/articles/12/09/19/some_ios_6_users_reportedly_suffering_from_wi_fi_issues, and the fact that I also had a proxy/content filter configured for my test profile. I have enabled roaming between 3G/WiFi and cert based authentication so this was mostly just annoying.
However this could be something to check? As well as the proxy settings you might get with the AC. I'll try to find some further details about the "network check" iOS6 has as I would like to know if that check could be "faked". With a proxy that should be quite trivial in fact.
m'kay. So the page iOS6 uses to test if it is behind a captive portal or if there is no network connectivity at all is
I think I'll play with some two way URL rewrites tomorrow in our proxy and see what happens...
I would like to make sure I was clear. My issues where not with the unit checking to see if access to the intardnet was working or not. The issue was more that if a hostname or FQDN name on the tunneled side of the VPN was requested by the end device while a VPN session was up it did work. In affect the end node would query the internal DNS and the DNS would respond. Then the client promptly did not use this information and would send the request out via the CELL network to the public Internet. This did not happen if I was on WIFI with the same node. This also did NOT happen on older apple iOS code versions.
I had read about the new features with the portal checking "features". This is the base issue that got apple in the network spotlight right off the bat with issues on there side. They reach out to a public apple website site to see if things are working, that was down....So the end node reported that there was no intardnet.
Sounds like you are dealing with another issue. Best of luck on your adventure.
After further testing I am convinced that this is an iOS 6 issue AND cell carrier issue. Simply because I can connect to my wifi router from home going through Comcast just fine. To me it seems like a subnet / DNS / split tunnel issue. Also I am using certificates to authenticate the ssl vpn tunnel. I just wish I could have more log data from the iOS side of this issue to verify the problem. Anyone know how to view logs in iOS 6?
I have a client who's experiencing the same issue. It doesn't look like the device is using AnyConnect-supplied DNS servers. This appears to only happen on 3G, as I don't have this issue on WiFi (tested from a couple different WiFi locations)
They are not using split-tunnels (all traffic is sent over the VPN).
Tonight Apple released an iOS update. This update did not reslove the issues we are expeirencing here with the client device not reclieving proper DNS traffic when you are connected through your cell carrier. If you are on wifi via comcast as an example the client works fine.
Another thing you should check on the Anyconnect app is this. Goto the diagnostics tab, then system information. Notice the cellular data ipaddress and subnet mask is different from what your real exteranl ipaddress is. That 10.x.x.x is a private ip range and either the anyconnect software or the ASA is blocking those private ip? Again I am simply guessing here also because the vpn tunnel eventually works some times on the cell carrier connection...
As of the newest Apple Store client release 3.0.090967(?)bug CSCts89292 was supposed to be fixed. My testing shows that the issue is still present. Anyone else agree/disagree?
Yes the issue is still there becuase it's an Apple iOS issue and not a Cisco Anyconnect issue.
Apple DOES have a fix for it in a BETA of 6.0.x. However, it has NOT been released as of yet.
Read more here.
Message was edited by: Aaron Tyson
It does actually appear to solve the problem for me. I think there are actually two related problems, and this update only solves one of them...