Yesterday we put in a new ASA with Anyconnect, the config is the same as the old ASA firewall which seemed to work fine.
We can connect on Anyconnect, we can ping things by IP which shows the DAP policy is OK as well as the routing, but we can not do any DNS look ups or reach anywhere by DNS name.
What are the likely causes of this issue and where should I look?
1. What is the hardware model and software version of the VPN headend? What version of AnyConect are you using?
1. Do you use split-tunnelling or not? What is your split-tunnel-dns config in the group-policy? Can you post the group-policy configuration? Also post the output of "ifconfig /all" from a Windows machine when AnyConect is actively connected. Also what secure route do you get, look in the AnyConnect GUI.
Hi, there is only a split tunnel for the traffic which is the whole of our network, there is no split tunnel setting in DNS.
We can see on the client that both DNS servers assigned by the policy point to the first hop address in the pool which looks correct.
The software is ASAv50 version 9-12-3
Anyconnect client version 4.6.04054
Once you connected to VPN using any connect, are you able to resolve the nslookup with any domain (ex cisco.com)
if that resolve failes you may have DNS correctly assigned by DHCP, you should also have policy for the VPN IP address should able to reach your Local/DNS Server to query the same.
1. Confirm that the AnyConnect client, once connected, has IP connectivity with the DNS servers pushed over from the VPN headend (ping and nslookup works). If not, check routing, NAT exemptions, VPN filter.
2. Open up a browser to generate DNS resolution and perform a packet capture on the end client to see if it sends DNS requests towards the correct DNS servers.