03-30-2020 01:33 PM
Due to the current quarantine, my organization has allowed employees to install AnyConnect on their personal computers for work from home. We have now received numerous reports about users unable to access network resources over the VPN (or even use Outlook or Zoom over VPN, but these services work when disconnected from VPN). This issue seems to strictly be seen on personal Windows devices that are NOT on our domain. A new discovery has shown that the user cannot perform a ping on a particular server using its FQDN, but it can ping the server when using its IP address. In this particular case, our help desk ran an nslookup query on the server and then they discovered the user could contact the server (without making any actual changes to the machine, VPN, or server). Any ideas? I appreciate the help.
03-30-2020 01:41 PM
Hi,
It sounds like the users are not receiving a DNS server, can you check the configuration of the tunnel-group/connection profile they connect to upon logon. Example:-
group-policy GP-1 attributes
dns-server value 192.168.10.5
Is split-tunnel configured for these users? Or do you intend to route their internet traffic through the VPN and access the internet from the main site?
HTH
03-31-2020 10:21 AM - edited 03-31-2020 10:33 AM
Hi,
We use a split tunnel.
Below is part of the config you are asking for (with any identifiers removed):
group-policy VPN internal
group-policy VPN attributes
wins-server value x.x.x.x
dns-server value x.x.x.x y.y.y.y
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value domain.com
split-tunnel-all-dns enable
The DNS server values are configured to use the correct IP addresses.
03-31-2020 10:27 AM
03-31-2020 12:51 AM
Hi,
1. Do you use split-tunnelling or full-tunnelling? Based on this, other settings may be needed.
2. You would need to ensure that DNS servers are configured int he group-policy, in order to be pushed over to the AnyConnect client upon successful connection. If you use split-tunnelling, traffic for these DNS servers needs to go through the tunnel, allowed by your split-tunnelling policy. Also, in order to resolve DNS names, without having to type in the complete FQDN, you would configure your group-policy to push over a domain name for the AC connection, and this would be your domain name.
group-policy TEST attributes
dns-server value 1.1.1.1 2.2.2.2
default-domain value mydomain.com
Regards,
Cristian Matei.
03-31-2020 10:24 AM
03-31-2020 11:27 AM
Hi,
Have you been using the above posted settings already before you opened the thread here? If so, try the following changes:
group-policy VPN attributes
wins-server value x.x.x.x
dns-server value x.x.x.x y.y.y.y
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value domain.com
split-tunnel-all-dns disable
split-dns-value xyz.com abc.com wer.com (your internal domains that need to be resolved over the tunnel)
Regards,
Cristian Matei.
03-31-2020 01:14 PM
03-31-2020 06:07 PM
Some area to check and TS
1. Local user setup and configuration
2. VPN Split-tunnel Configuration
3. Routing (Sync/Async, etc.)
4. Local Firewall, AV configurations
5. Group policy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: