08-02-2011 12:53 PM
So we've setup an ASA 5510 and users can VPN in no problem, and an IPCONFIG /ALL confirms that the DNS server settings from the group policy have been applied.
Group policy sets DNS servers as 192.168.2.8 (internal), 8.8.8.8 (google).
Public internet sites work ok.
Typing nslookup opens up on the correct internet DNS server,
but all requests timeout.
C:\Users\atr>nslookup
Default Server: dell_server5.ourcompany.local
Address: 192.168.2.8
> w7farmm3
Server: dell_server5.ourcompany.local
Address: 192.168.2.8
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dell_server5.ourcompany.local timed-out
> w7farmm3.ourcompany
Server: dell_server5.ourcompany.local
Address: 192.168.2.8
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dell_server5.ourcompany.local timed-out
> w7farmm3.ourcompany.local
Server: dell_server5.ourcompany.local
Address: 192.168.2.8
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dell_server5.ourcompany.local timed-out
> google.com
Server: dell_server5.ourcompany.local
Address: 192.168.2.8
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to dell_server5.ourcompany.local timed-out
Any ideas?
Solved! Go to Solution.
08-04-2011 01:04 PM
If it works with tunnelall and not with split tunneling then you need to enable split dns.
Your group policy should something like this:
group-policy vpnpolicyx internal
group-policy vpnpolicyx attributes
split-dns value yourcompany.local
I hope this helps.
08-04-2011 11:01 AM
I am experiencing the same issue. My nslookup output is the same as above.
08-04-2011 11:10 AM
Greg I'm reading this post at the moment - not sure if it's useful to either of us
08-04-2011 11:40 AM
Update:
I edited the Group Policy, under Advanced -> Split Tunneling
Changed the policy to "Tunnel All Networks"
and suddenly everything works!
Though I'm sure I don't want to leave it at Tunnel All Networks, so still looking into it.
08-04-2011 01:04 PM
If it works with tunnelall and not with split tunneling then you need to enable split dns.
Your group policy should something like this:
group-policy vpnpolicyx internal
group-policy vpnpolicyx attributes
split-dns value yourcompany.local
I hope this helps.
08-04-2011 01:54 PM
thanks! that's it.
the existing setting was
DNS Names: (inherit: no) 192.168.2.7 151.203.0.85 151.202.0.85
So if this field should actually be a domain name, what was the person thinking who set this up? Any idea why they would put IP addresses in here? (192.168.2.7 is our local DNS server)
08-04-2011 02:09 PM
I think they just go confused, however if you do question mark you would see it mentions "list of domains"
asa(config-group-policy)# split-dns value ?
group-policy mode commands/options:
LINE < 256 char Enter a list of domains to be resolved through the Split Tunnel, separated with spaces.
However it takes an IP(because an IP is word too) hence the confusion
asa(config-group-policy)# split-dns value 1.1.1.1
I hope this clarifies your questions.
Have fun!
PS: Dont forget to rate this post and mark the question as answered
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide