Re: Anyconnect MGMT VPN Tunnel Breaks DNS

garybrophy · ‎04-05-2024

Hi,

Longshot here but has anyone been able to configure a MGMT VPN and have DNS working?

I found a similar post 3 years ago but no responses on it and I am having the same issue.

Followed this guide and the MGMT VPN successfully connects.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html#toc-hId-232844462

ASA version asa9-14-4-23

Anyconnect - tried 3-4 versions and same issue on all of them

I am only bringing one server across the VPN

Route print shows the Anyconnect pool and that server being sent down the tunnel.

All other traffic routes out of the main interface adapter . However DNS stops working. I can ping the local DNS server but I cannot nslookup or ping fqdns - "*** UnKnown can't find google.ie: Query refused" . I am not bringing any DNS settings down from the Anyconnect connection as I dont need them as communication will be via IP address

The minute I disable anyconnect DNS works again

Gary

gp2830446 · ‎04-05-2024

When experiencing DNS issues with your MGMT VPN on a Cisco ASA, ensure that DNS settings are correctly configured in the ASA and not overriding local settings. Check the group policy for DNS configurations, and confirm that your split tunneling setup properly excludes DNS traffic if that’s your intent. Experiment by manually setting a static DNS on your system to isolate whether the issue is with DNS routing or server settings. Utilize ASA's debugging tools and logs to track DNS requests and potential blocks. Ensure both your ASA firmware and AnyConnect client are updated to potentially resolve DNS-related bugs. If issues persist, consider consulting Cisco support for detailed troubleshooting.

Thanks

Best gastro

garybrophy · ‎04-08-2024

I am not actually bringing across any DNS settings on the profile. No DNS name, no DNS servers etc.

If I do setup DNS servers on the Profile and Group Policy, DNS works but it sends all DNS requests down the tunnel rather than locally. I do not want this to happen, I want all DNS requests to go to the local DNS server.

Its like when the MGMT tunnel is connected its taking control of the DNS requests for some reason.

Split tunneling is setup to only send 1 IP address down the Anyconnect connection. Route print on the machine is showing that server being sent to the Anyconnect adapter. Everything else locally. But DNS requests seem to be going to the Anyconnect adapter for some reason. Pings, tcp connections go locally as they are supposed to.

MHM Cisco World · ‎04-06-2024

You use

Split-tunnel policy tunnel All?

If Yes then

Try use

Split-tunnel-policy-excluded

The specified Your local DNS IP as excluded from pass through tunnel

Try above

MHM

garybrophy · ‎04-08-2024

I am not tunnelling all.

Split tunnel setup to only include 1 IP address and that is working fine.

MHM Cisco World · ‎04-08-2024

what is OS of PC, win or MacOS ?

MHM

garybrophy · ‎04-08-2024

Windows 10 Pro

MHM Cisco World · ‎04-08-2024

in PC try http to any website dont use nslookup
then capture the traffic

capture DNS interface IN match ip host <Anyconnect private IP> host <DNS server>
show capture DNS

share the capture here

MHM