Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3222
Views
0
Helpful
3
Replies

Anyconnect - windows -DNS NSlookup "timeout was 2 seconds" -- is this a known "feature"?

Go to solution
watcher60
Level 1
Level 1

‎02-20-2019 12:18 AM - edited ‎02-20-2019 12:44 AM

All,

  Hoping someone can advise if they see similar in their setup (or not), and if it is a known feature of the Anyconnect client on windows.

 

Setup is Windows10 clients running Anyconnect v4.6 (though seen on previous version), connecting to an ASA with a profile set to  split tunneling on the network list (an include network list), configured to send all DNS requests via the tunnel. We do have a long list of DNS Names, however for the problem seen I do not believe this is relevant.

 

When we perform an nslookup from the cmd prompt of a windows client connected to the VPN we get a successful lookup, however there are timeouts reported as shown below before the resolution (I do not believe nslookup uses the DNS search suffix names so do not believe the long list pushed to the clients is relevant)-- can anyone advise if they see the same in their setup, or know if this is a known "feature"?

 

C:\>nslookup www.google.com
Server: phlpdct001.corp.local
Address: 10.20.50.72

DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: www.google.com
Addresses: 2607:f8b0:4009:80a::2004
216.58.216.68

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
watcher60
Level 1
Level 1

‎02-20-2019 01:13 AM - edited ‎02-20-2019 01:14 AM

Looking at a packet capture I stand corrected and it does appear nslookup still appends the DNS search suffix to the lookup unless you put a trailing " . " on the name -- it appears it is our long search suffix which is causing the issue after all

View solution in original post

0 Helpful
3 Replies 3

Go to solution
watcher60
Level 1
Level 1

‎02-20-2019 01:13 AM - edited ‎02-20-2019 01:14 AM

Looking at a packet capture I stand corrected and it does appear nslookup still appends the DNS search suffix to the lookup unless you put a trailing " . " on the name -- it appears it is our long search suffix which is causing the issue after all

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-20-2019 01:19 AM

What is your split dns setting.on anyconnect configuration?
0 Helpful

Go to solution
watcher60
Level 1
Level 1
In response to Mohammed al Baqari

‎02-20-2019 01:47 AM

All DNS requests are set to be tunneled (split-tunnel-all-dns enable) but we are at the maximum on the number of DNS names (well its  character length I know limitation) but 11 suffix plus the default one (so 12 in total)

0 Helpful
Customers Also Viewed These Support Documents