Hello Mohammed,

Mohammed Yusuf · ‎02-24-2016

Hi,

Some of our users are receiving error when connect on IPSec VPN

"The system has detected a possible attempt to compromise security VPN issue unable to map drives automatically"

and sometimes they struggle on DNS resolution. I have added ip addresses manually in host file but is there a better way.

I googled it but I got different views from everywhere. I would not like to try it on a production firewall unless someone know the fix.

Thanks,

rizwanr74 · ‎02-26-2016

Hello Mohammed,

You have group-policy for the vpn-tunnel group and I assume you enabled split-tunnel, then you can force the vpn-users to send dns-lookup for internal domain-names into internal servers, rather than sending the dns-lookup to local ISP.

group-policy your-vpn-group-policy attributes
dns-server value 10.121.81.64 10.121.81.65
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test-Split-Tunnel-List
default-domain value whatever.com
split-dns value whilte.com black.com yellow.com brown.com pink.com

as you can see in my split-dns value contains many internal domain names, for which nslookup will come into internal dns-server at: 10.121.81.64 10.121.81.65 for particular group-policy vpn-users.

Hope that helps.

Thanks

Rizwan Rafeek.

Mohammed Yusuf · ‎02-26-2016

Hi Rizwan,

I have got group policy as suggested earlier. does it look ok? or am I missing something?

group-policy company internal
group-policy company attributes
dns-server value 192.168.0.2 192.168.0.1
vpn-idle-timeout 43200
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value company.com
address-pools value vpnippool

rizwanr74 · ‎02-26-2016

Hello Mohammed,

You don't need these two values.

- - - - - - - - - - - - -

vpn-idle-timeout 43200
pfs enable

- - - - - - - - - - - - -

You still have to make your vpn-client to send nslookup for your internal domain-names into the tunnel, otherwise for your internal hostname lookups will be going to local ISP for remote access IPSec vpn-clients.

Example is shown below, you need to specify your internal domain names as such shown below.

split-dns value whilte.com black.com yellow.com brown.com pink.com

thanks

Rizwan Rafeek

Mohammed Yusuf · ‎02-26-2016

If I run these commands would it fix the issue?

No VPN idle time out

no PSf enable

Split-dns value white.com

rizwanr74 · ‎02-26-2016

Hello Mohammed,

"If I run these commands would it fix the issue?"

NO, but you don't not need those lines.

But what you need is to enable split-dns, as shown below.

group-policy your-vpn-group-policy attributes

split-dns value whilte.com black.com yellow.com brown.com pink.com

Mohammed Yusuf · ‎02-26-2016

Thanks. I would add split-dns on Monday and get back to you.

rizwanr74 · ‎02-29-2016

Hello Mohammed,

"Could I just append this line in group policy?"

Yes you can but replace with list of domain-names that you want your remote-vpn client's dns-names lookup to come into the tunnel.

You have split-tunnel enabled?

Mohammed Yusuf · ‎03-04-2016

Hi rizwanr74,

I have tried split-tunnel value and it has not resolve it.

Thanks,

rizwanr74 · ‎03-04-2016

Post your configuration.

Mohammed Yusuf · ‎02-29-2016

Hi Rizwan,

Could I just append this line in group policy?

split-dns value whilte.com black.com yellow.com brown.com pink.com

or does it have to be in particular order?

ASA 5505 IPSEC VPN Error