Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
8
Replies

AnyConnect Issue with Personal W10 Computers Accessing Network Resources

BlueDog
Level 1
Level 1

‎03-30-2020 01:33 PM

Due to the current quarantine, my organization has allowed employees to install AnyConnect on their personal computers for work from home.  We have now received numerous reports about users unable to access network resources over the VPN (or even use Outlook or Zoom over VPN, but these services work when disconnected from VPN).  This issue seems to strictly be seen on personal Windows devices that are NOT on our domain.  A new discovery has shown that the user cannot perform a ping on a particular server using its FQDN, but it can ping the server when using its IP address.  In this particular case, our help desk ran an nslookup query on the server and then they discovered the user could contact the server (without making any actual changes to the machine, VPN, or server).  Any ideas?  I appreciate the help.

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎03-30-2020 01:41 PM

Hi,

It sounds like the users are not receiving a DNS server, can you check the configuration of the tunnel-group/connection profile they connect to upon logon. Example:-

 

group-policy GP-1 attributes
 dns-server value 192.168.10.5

Is split-tunnel configured for these users? Or do you intend to route their internet traffic through the VPN and access the internet from the main site?

 

HTH

0 Helpful

BlueDog
Level 1
Level 1
In response to Rob Ingram

‎03-31-2020 10:21 AM - edited ‎03-31-2020 10:33 AM

Hi,

We use a split tunnel.

Below is part of the config you are asking for (with any identifiers removed):

group-policy VPN internal
group-policy VPN attributes
wins-server value x.x.x.x
dns-server value x.x.x.x y.y.y.y
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value domain.com
split-tunnel-all-dns enable

The DNS server values are configured to use the correct IP addresses.

0 Helpful

BlueDog
Level 1
Level 1
In response to BlueDog

‎03-31-2020 10:27 AM

I've now also discovered a few company owned W10 machines using our domain having this issue as well. It still appears to be exclusive to Windows. One client machine began working last night after removing it from the docking station and rebooting it. Other devices experiencing this issue aren't using a dock and the same solution doesn't seem to work.
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎03-31-2020 12:51 AM

Hi,

 

    1. Do you use split-tunnelling or full-tunnelling? Based on this, other settings may be needed.

    2. You would need to ensure that DNS servers are configured int he group-policy, in order to be pushed over to the AnyConnect client upon successful connection. If you use split-tunnelling, traffic for these DNS servers needs to go through the tunnel, allowed by your split-tunnelling policy. Also, in order to resolve DNS names, without having to type in the complete FQDN, you would configure your group-policy to push over a domain name for the AC connection, and this would be your domain name.

 

group-policy TEST attributes

 dns-server value 1.1.1.1 2.2.2.2

 default-domain value mydomain.com

 

Regards,

Cristian Matei.

0 Helpful

BlueDog
Level 1
Level 1
In response to Cristian Matei

‎03-31-2020 10:24 AM

We use a split tunnel.

Below is part of the config you are asking for (with any identifiers removed):

group-policy VPN internal
group-policy VPN attributes
wins-server value x.x.x.x
dns-server value x.x.x.x y.y.y.y
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value domain.com
split-tunnel-all-dns enable
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to BlueDog

‎03-31-2020 11:27 AM

Hi,

 

   Have you been using the above posted settings already before you opened the thread here? If so, try the following changes:

 

group-policy VPN attributes
wins-server value x.x.x.x
dns-server value x.x.x.x y.y.y.y
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value domain.com
split-tunnel-all-dns disable

split-dns-value xyz.com abc.com wer.com (your internal domains that need to be resolved over the tunnel)

 

Regards,

Cristian Matei.

0 Helpful

Larry Sullivan
Level 3
Level 3

‎03-31-2020 01:14 PM

1.) Get the output of ipconfig /all from one of the problem machines. What's the DNS?
2.) Temp workaround would be for end users to manually configure DNS to your internal DNS.
But yes, the issue seems to be internal DNS is not being passed along to remote machines as others mentioned.
0 Helpful

ranilf2005
Level 1
Level 1

‎03-31-2020 06:07 PM

Some area to check and TS

1. Local user setup and configuration

2. VPN Split-tunnel Configuration

3. Routing (Sync/Async, etc.)

4. Local Firewall, AV configurations

5. Group policy

Ranil Fernando
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents