cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6347
Views
0
Helpful
5
Replies

Anyconnect DNS not working

carl_townshend
Spotlight
Spotlight

Hi All

Yesterday we put in a new ASA with Anyconnect, the config is the same as the old ASA firewall which seemed to work fine.

We can connect on Anyconnect, we can ping things by IP which shows the DAP policy is OK as well as the routing, but we can not do any DNS look ups or reach anywhere by DNS name.

What are the likely causes of this issue and where should I look?

cheers

5 Replies 5

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

      1. What is the hardware model and software version of the VPN headend? What version of AnyConect are you using?

      1. Do you use split-tunnelling or not? What is your split-tunnel-dns config in the group-policy? Can you post the group-policy configuration? Also post the output of "ifconfig /all" from a Windows machine when AnyConect is actively connected. Also what secure route do you get, look in the AnyConnect GUI.

 

Regards,
Cristian Matei.

Hi, there is only a split tunnel for the traffic which is the whole of our network, there is no split tunnel setting in DNS.

We can see on the client that both DNS servers assigned by the policy point to the first hop address in the pool which looks correct.

The software is ASAv50 version 9-12-3

Anyconnect client version 4.6.04054

Once you connected to VPN using any connect, are you able to resolve the nslookup with any domain (ex cisco.com)

 

if that resolve failes you may have DNS correctly assigned by DHCP, you should also have policy for the VPN IP address should able to reach your Local/DNS Server to query the same.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

   

    1. Confirm that the AnyConnect client, once connected, has IP connectivity with the DNS servers pushed over from the VPN headend (ping and nslookup works). If not, check routing, NAT exemptions, VPN filter.

    2. Open up a browser to generate DNS resolution and perform a packet capture on the end client to see if it sends DNS requests towards the correct DNS servers.

 

Regards,

Cristian Matei.

   

This is now solved, used a newer version of Anyconnect and it is now working.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: