Thanks Portu,

I checked our config & I see this in our DfltGrpPolicy, but not under the one our users connect in via.  Those only have the

"default-domain value company.com"

I suspect for our case we'd add "

"split-dns value company.com"

as that's where about 95% of our DNS entries exist.  Typically the computers will eventually try that value, but I suspect it's not proceeding through the suffix list as the Home ISP DNS service is providing an IP.

I'll post back after we try this out.

~Jason

Thanks for the quick response.

I would suggest this instead:

group-policy specific_group_policy attributes

     split-dns value  company.com ad.domain.com

!

You can add more if needed.

Keep me posted.

I was looking around & noticed that myself too. We have 5 or 6 internal AD domain names so I'll add them all during our test.  We are set to inherit from the Default policy, but that policy only has the root DNS name in the list. If this works, I'll update the default instead of all the individual policies.

Hoping to test with the user tomorrow.

Great!

Hope to hear good news from you tomorrow

Found a different user and tried this out with no luck. I added in all the domains to the split-dns list and it's still failing. This user doesn't have wireshark running, but we were seeing the same IP come back from a ping test.

One of the domains in the users suffix list is our standard domain, but it's the 6th one out of 7 listed.

This used to work for us on the old VPN Client software, but the ASA seems to have so many other features, I'm not finding the right one for this.

Here's a snip of our config. I tried adding the split-dns list to the Default too, with no luck, and also removing the domain name from the user Policy & let it inherit too, with no luck:

group-policy DfltGrpPolicy attributes

wins-server value 192.168.197.36 192.168.197.30

dns-server value 192.168.197.30 192.168.197.36

vpn-session-timeout 2880

vpn-tunnel-protocol ssl-client ssl-clientless

group-lock value DefaultWEBVPNGroup

ipsec-udp enable

ipsec-udp-port 22847

split-tunnel-policy tunnelspecified

split-tunnel-network-list value HomeSubnets

default-domain value company.com

split-dns value americas.ad.company.com emea-aspac.ad.company.com dmz.ad.company.com asp.ad.company.com ad.company.com company.com oldcompanyname.com

smartcard-removal-disconnect disable

webvpn

  anyconnect mtu 1200

  anyconnect profiles value CompanyVPNProfile type user

  anyconnect ask none default anyconnect

  anyconnect ssl df-bit-ignore enable

!

!Here's the user profile

!

group-policy CompanyVPN internal

group-policy CompanyVPN attributes

wins-server value 192.168.197.36 192.168.197.30

dns-server value 192.168.197.30 192.168.197.36

vpn-tunnel-protocol ssl-client ssl-clientless

ip-comp disable

group-lock value CompanyVPN

split-tunnel-policy excludespecified

split-tunnel-network-list value HomeSubnets

split-dns value americas.ad.company.com emea-aspac.ad.company.com dmz.ad.company.com asp.ad.company.com ad.company.com company.com oldcompanyname.com

address-pools value UserVPNPool

webvpn

  anyconnect ssl compression none

  always-on-vpn profile-setting

!

!

!HomeSubnets ACL, the user who tested today has a home subnet of 192.168.1.x, the user w/ wireshark is 192.168.11.x

!

access-list HomeSubnets standard permit 192.168.0.0 255.255.255.0

access-list HomeSubnets standard permit 192.168.1.0 255.255.255.0

access-list HomeSubnets standard permit 10.0.0.0 255.255.255.0

access-list HomeSubnets standard permit 192.168.8.0 255.255.255.0

access-list HomeSubnets remark another home subnet

access-list HomeSubnets standard permit 192.168.2.0 255.255.255.0

Hi Jason,

Checking your configuration I found:

dns-server value 192.168.197.30 192.168.197.36

!

access-list HomeSubnets standard permit 192.168.0.0 255.255.255.0

access-list HomeSubnets standard permit 192.168.1.0 255.255.255.0

access-list HomeSubnets standard permit 10.0.0.0 255.255.255.0

access-list HomeSubnets standard permit 192.168.8.0 255.255.255.0

access-list HomeSubnets remark another home subnet

access-list HomeSubnets standard permit 192.168.2.0 255.255.255.0

!

Please make the following changes:

access-list HomeSubnets standard permit host 192.168.197.30

access-list HomeSubnets standard permit host 192.168.197.36

!

You will also need to add these two hosts to the NAT exempt rule.

In summary:

The DNS servers are not included in the SPLIT ACL. Please add them and adjust the NAT rules.

Thanks.

Portu.

Please rate any helpful posts.

Well that HomeSubnets is used for those who wish to enable local LAN access when they VPN in, if not we are going to tunnel all of their traffic.  hosts 192.168.197.30 & 192.168.197.36 exist on the ASA / corporate side of the VPN so we don't want them to be excluded from tunneling.  I was able to get a wireshark capture yesterday but the forum site here was down when I went to post.

Here we can see the user is trying to do a lookup when they just ping  "othersites" which has an internal DNS entry provided by 192.168.197.30  or .36 with the IP 192.168.10.247.

This wireshark shows the computer stepping through 2  Domain Suffixes against the VPN provided DNS servers, then trying 3  suffixes against their home subnet DNS server, then it goes back, does 3  more against the VPN provided, 1 more on the home subnet, then finally  makes it down the list to the one which properly resolves from the VPN  provided DNS server.

My temporary fix was to have the  user change their Cable Modem / Router to use non-ISP provided DNS  servers. it seems their home ISP basically returns any query so the user  could be redirected to their search page. (Cox is the provider in  question).

We would like to get this resolved though to  help with the numerous other users including those who may not have  control of their upstream DNS servers such as someone at a hotel.

I  can provide more config if that helps too, but looking at this  wireshark capture, it seems the computer is misbehaving by trying the  home ISP DNS server before exhausting the options provided by the ASA /  Anyconnect.

Thoughts?

Jason,

Have you tried an "ipconfig /flushdns" while connected?

Thanks.

yep, we were trying that too, before every ping attempt, and we were disconnecting / reconnecting AnyConnect when making changes. I'll probably open a TAC case on this as it's been affecting a number of users and it's starting to become an issue for some with legacy applications that have the shortnames configured within them instead of the FQDN.

Hi Jason,

Have you tried with tunneall?

Indeed a TAC case is a good option, open one and ask for my assistance, I will be glad to help you further.

Thanks.

Portu