I'm still trying to get access to one of the PCs that is exhibiting the behavior but will definitely check that.  If a PC has manually assigned DNS on its wired or wireless NIC, would that override the DNS servers assigned by the ASA?

Here is the config.

access-list DNS_FIX standard permit host 169.254.1.1
ip local pool POOL 10.10.10.10-10.10.10.250 mask 255.255.255.0
ip verify reverse-path interface outside
nat (inside,any) source static any any no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set ikev2 ipsec-proposal AES256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
no crypto isakmp nat-traversal
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 5 2
 prf sha256
 lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 36876
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 dhe-aes128-sha1 dhe-aes256-sha1 rc4-sha1
ssl trust-point TrustPoint_Outside_08052014 outside vpnlb-ip
ssl trust-point TrustPoint_Outside_08052014 outside
ssl trust-point TrustPoint_Inside inside
webvpn
 enable outside
 csd image disk0:/csd_3.6.6249-k9.pkg
 csd hostscan image disk0:/hostscan_3.1.04063-k9.pkg
 csd enable
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 3 regex "Intel Mac OS X"
 anyconnect image disk0:/anyconnect-linux-3.1.04066-k9.pkg 4
 anyconnect profiles profile1 disk0:/profile1.xml
 anyconnect enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.20.2.200 10.20.3.200
 vpn-idle-timeout 240
 vpn-session-timeout 720
 vpn-tunnel-protocol ikev1 ikev2 ssl-client
 ipsec-udp enable
 ipsec-udp-port 36876
 default-domain value my.company.com
 split-tunnel-all-dns enable
 webvpn
  anyconnect mtu 1200
group-policy DfltGrpPolicy-AC attributes
 wins-server none
 dns-server value 10.20.2.200 10.20.3.200
 vpn-idle-timeout 240
 vpn-session-timeout 720
 vpn-tunnel-protocol ssl-client
 ipsec-udp enable
 ipsec-udp-port 36876
 default-domain value my.company.com
 webvpn
  anyconnect mtu 1200
group-policy RADIUS-GP internal
group-policy RADIUS-GP attributes
 wins-server none
 dns-server value 10.20.2.200 10.20.3.200
 vpn-idle-timeout 30
 vpn-session-timeout 720
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy excludespecified
 split-tunnel-network-list value DNS_FIX
 default-domain value my.company.com
 split-tunnel-all-dns enable
 webvpn
  anyconnect modules value vpngina
  anyconnect profiles value profile1 type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 wins-server none
 dns-server value 10.20.2.200 10.20.3.200
 vpn-idle-timeout 30
 vpn-session-timeout 720
 vpn-tunnel-protocol ssl-client
 default-domain value my.company.com
 split-tunnel-all-dns enable
 webvpn
  anyconnect modules value vpngina
  anyconnect profiles value profile1 type user
tunnel-group TunGrp1 type remote-access
tunnel-group TunGrp1 general-attributes
 address-pool DOT-COE
 address-pool DOT-COE1
 address-pool DOT-COE2
 authentication-server-group LDAP
 authorization-server-group LDAP
 accounting-server-group RADIUS
 default-group-policy GroupPolicy1
 authorization-required
 username-from-certificate UPN
tunnel-group TunGrp1 webvpn-attributes
 authentication certificate
 group-alias TunGrp1 disable
 group-url https://asa.my.company.com/TunGrp1 enable
 without-csd

If a PC has manually assigned DNS on its wired or wireless NIC, would that override the DNS servers assigned by the ASA?

It should not overwrite DNS assigned by the ASA as the anyconnect client has its own virtual network adaptor.  But you might be hitting a bug for all we know so far.

Other things you could check, is the user assigned to the correct group-policy?  That is if you have more group policies other than the ones you have listed above.  Do the clients have another 3rd party VPN installed (ie. Hotspot Shield, PIA, etc.)?  When the client is connected to the vpn and you run ipconfig /all on the PC, does the anyconnect vpn adapter show the correct DNS values?

How are you determining that the AnyConnect clients are not sending DNS requests through the VPN tunnel?

--

Please remember to select a correct answer and rate helpful posts

The DNS requests are going through the VPN tunnel but they are being sent to DNS servers outside our network, as we're seeing them on our Internet firewall.  I know the users are assigned to the correct group policy.  We have multiple group policies but they are all configured identically and are used purely for logging purposes.

I haven't been able to get my hands on one of the clients yet but I'm working on that. Hopefully I'll be able to answer your other questions and find something to point us to the cause. Thanks.

Was this issue ever resolved as we are facing the same issue in our org.? 

If this was resolved can you kindly let me know what was the resolution for this issue.

Thanks

Asif

Hi was this issue ever resolved? I believe we are experiencing the same issue.