10-27-2015 06:30 AM - edited 02-21-2020 08:31 PM
I am seeing some AnyConnect clients resolving to their local DNS instead of the ASA assigned DNS servers. We have no split tunneling enabled and are forcing AnyConnect clients to use our internal DNS servers (the TAC verified this in our config). All client traffic is forced into our network and then out our Internet connections. On our Internet firewall, we see VPN client addresses going out our Internet connection to resolve against public DNS servers (comcast, etc), which we do not want to permit. Has anyone seen this and is there a way to prevent it?
Thanks.
10-27-2015 10:08 AM
have you confirmed that the PCs do not have manually assigned DNS servers?
I know TAC has looked at your config, but could you post a scrubbed config for us to take a look at?
--
Please remember to select a correct answer and rate helpful posts
10-27-2015 10:39 AM
I'm still trying to get access to one of the PCs that is exhibiting the behavior but will definitely check that. If a PC has manually assigned DNS on its wired or wireless NIC, would that override the DNS servers assigned by the ASA?
Here is the config.
access-list DNS_FIX standard permit host 169.254.1.1
ip local pool POOL 10.10.10.10-10.10.10.250 mask 255.255.255.0
ip verify reverse-path interface outside
nat (inside,any) source static any any no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set ikev2 ipsec-proposal AES256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 5 2
prf sha256
lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 36876
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 dhe-aes128-sha1 dhe-aes256-sha1 rc4-sha1
ssl trust-point TrustPoint_Outside_08052014 outside vpnlb-ip
ssl trust-point TrustPoint_Outside_08052014 outside
ssl trust-point TrustPoint_Inside inside
webvpn
enable outside
csd image disk0:/csd_3.6.6249-k9.pkg
csd hostscan image disk0:/hostscan_3.1.04063-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 3 regex "Intel Mac OS X"
anyconnect image disk0:/anyconnect-linux-3.1.04066-k9.pkg 4
anyconnect profiles profile1 disk0:/profile1.xml
anyconnect enable
group-policy DfltGrpPolicy attributes
dns-server value 10.20.2.200 10.20.3.200
vpn-idle-timeout 240
vpn-session-timeout 720
vpn-tunnel-protocol ikev1 ikev2 ssl-client
ipsec-udp enable
ipsec-udp-port 36876
default-domain value my.company.com
split-tunnel-all-dns enable
webvpn
anyconnect mtu 1200
group-policy DfltGrpPolicy-AC attributes
wins-server none
dns-server value 10.20.2.200 10.20.3.200
vpn-idle-timeout 240
vpn-session-timeout 720
vpn-tunnel-protocol ssl-client
ipsec-udp enable
ipsec-udp-port 36876
default-domain value my.company.com
webvpn
anyconnect mtu 1200
group-policy RADIUS-GP internal
group-policy RADIUS-GP attributes
wins-server none
dns-server value 10.20.2.200 10.20.3.200
vpn-idle-timeout 30
vpn-session-timeout 720
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value DNS_FIX
default-domain value my.company.com
split-tunnel-all-dns enable
webvpn
anyconnect modules value vpngina
anyconnect profiles value profile1 type user
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 10.20.2.200 10.20.3.200
vpn-idle-timeout 30
vpn-session-timeout 720
vpn-tunnel-protocol ssl-client
default-domain value my.company.com
split-tunnel-all-dns enable
webvpn
anyconnect modules value vpngina
anyconnect profiles value profile1 type user
tunnel-group TunGrp1 type remote-access
tunnel-group TunGrp1 general-attributes
address-pool DOT-COE
address-pool DOT-COE1
address-pool DOT-COE2
authentication-server-group LDAP
authorization-server-group LDAP
accounting-server-group RADIUS
default-group-policy GroupPolicy1
authorization-required
username-from-certificate UPN
tunnel-group TunGrp1 webvpn-attributes
authentication certificate
group-alias TunGrp1 disable
group-url https://asa.my.company.com/TunGrp1 enable
without-csd
10-27-2015 01:04 PM
If a PC has manually assigned DNS on its wired or wireless NIC, would that override the DNS servers assigned by the ASA?
It should not overwrite DNS assigned by the ASA as the anyconnect client has its own virtual network adaptor. But you might be hitting a bug for all we know so far.
Other things you could check, is the user assigned to the correct group-policy? That is if you have more group policies other than the ones you have listed above. Do the clients have another 3rd party VPN installed (ie. Hotspot Shield, PIA, etc.)? When the client is connected to the vpn and you run ipconfig /all on the PC, does the anyconnect vpn adapter show the correct DNS values?
How are you determining that the AnyConnect clients are not sending DNS requests through the VPN tunnel?
--
Please remember to select a correct answer and rate helpful posts
10-28-2015 06:00 AM
The DNS requests are going through the VPN tunnel but they are being sent to DNS servers outside our network, as we're seeing them on our Internet firewall. I know the users are assigned to the correct group policy. We have multiple group policies but they are all configured identically and are used purely for logging purposes.
I haven't been able to get my hands on one of the clients yet but I'm working on that. Hopefully I'll be able to answer your other questions and find something to point us to the cause. Thanks.
02-05-2019 11:16 PM
Was this issue ever resolved as we are facing the same issue in our org.?
If this was resolved can you kindly let me know what was the resolution for this issue.
Thanks
Asif
08-05-2020 11:09 AM
Hi was this issue ever resolved? I believe we are experiencing the same issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide