08-05-2013 12:13 AM
Hi all,
I was wondering if someone could shed some light on our problem... We have a ASA5525 configured to allow VPN clients (via the AnyConnect client v3.1.01065) access to certain ip addresses using split tunneling. Now this works perfectly, however when ever a user (in the localdomain.com domain) tries to resolve/ping a FQDN in their local domain (e.g server1.localdomain.com) they get a "Host not found" error. However resolving/pinging just the hostname (server1) works!
I have tried playing around with the settings under Group Policy > Advanced > Split Tunneling in the ASDM (v 6.6) but can't seem to get the FQDN to resolve. I was just wondering if anyone knows what setting is needed to allow vpn users to resolve local FQDN whilst connected to our VPN?
Just a recap:
User can ping extserver1.remotedomain.com (Remote Server - looking at it from the clients perspective)
User can ping extserver (Remote Server - looking at it from the clients perspective)
User cannot ping server1.localdomain.com (Local Server - looking at it from the clients perspective)
User can ping server1 (Local Server - looking at it from the clients perspective)
All IP traffic works as expected!
Any help will be greatly appriciated!
Thanks,
Adam
08-05-2013 02:57 AM
How is the user trying to resolve the server1.localdomain.com FQDN? If you issue the nslookup server1.localdomain.com command at a command prompt on a windows machine, what is the result?
Which DNS server are the users using when connected to the VPN?
I am wondering if server1.localdomain.com returns a public IP which is connected to the local router or ASA and is being dropped due to implicit security policies.
08-05-2013 04:43 PM
Well I have been trying to just use ping to diagnose the problem. However anything on the local client machine that uses a local FQDN (file shares, printing, intranet etc) does not work. Don't forget that everything remote wether it is a hostname or FQDN works, as does local hostnames which goes to show that the local DNS server is coming in somewhere...
Here are the results of NSLookup:
BEFORE VPN CONNECTION
nslookup server1.localdomain.com
Server: LOCAL DNS SERVER FQDN
Address 172.16.1.xxx (Clients DNS Server Address)
Name: server1.localdomain.com
Address: 172.16.1.xxx (Server1's IP Address)
AFTER VPN CONNECTION
nslookup server1.localdomain.com
Server: VPN DNS FQDN
Address 172.16.30.xxx (VPN DNS Server Address)
*** VPN DNS FQDN can't find server1.localdomain.com: Non-existent domain
This is the problem... The VPN is telling windows to tunnel all DNS queries and ask them to be resolved by the remote DNS server not the local one... It was my understanding that this type of thing can be restricted by adding the "split-dns remotedomain.com" command which will only tunnel "remotedomain.com" queries correct?
Is there a setting i need on the ASA or AnyConnect client that will allow this type of thing to happen?
08-05-2013 11:59 PM
Your assumption is correct regarding the split-dns.
Have you enabled "Enable Local LAN Access (if configured)" option in AnyConnect?
Could you post a full configuration of your ASA? change all public IPs and domains please
08-07-2013 12:34 AM
Yes i have tried the "Enable Local LAN Access (if configured)" option in AnyConnect with no luck. I was reading here https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml#dsfg that the "Enable Local LAN Access" option is only if you use the "Exclude Network List Below"... Please feel free to correct me if I'm wrong...
Here is the relevant config...
access-list split-tunneling remark MEM Server
access-list split-tunneling standard permit host 192.168.1.34
access-list split-tunneling remark DNS Server
access-list split-tunneling standard permit host 172.16.30.10
access-list split-tunneling remark APPSSERVER
access-list split-tunneling standard permit host 172.16.30.31
access-list split-tunneling remark SQL
access-list split-tunneling standard permit host 192.168.1.11
access-list split-tunneling remark Phone System
access-list split-tunneling standard permit host 192.168.3.18
aaa-server SR protocol radius
max-failed-attempts 5
aaa-server SR (Inside_new) host 172.16.30.10
key ****
group-policy GroupPolicy_S_TEST internal
group-policy GroupPolicy_S_TEST attributes
wins-server value 172.16.30.10 172.16.30.11
dns-server value 172.16.30.10 172.16.30.11
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunneling
default-domain value remotedomain.com
split-dns value remotedomain.com
split-tunnel-all-dns disable
msie-proxy method no-modify
webvpn
tunnel-group TEST1 type remote-access
tunnel-group TEST1 general-attributes
address-pool AnyConnect_pool
authentication-server-group SR
default-group-policy GroupPolicy_S_TEST
tunnel-group TEST1 webvpn-attributes
group-alias TEST1 enable
I really appreciate your help! Thanks heaps!
08-07-2013 01:31 AM
If you enter split-dns value none does the FQDN resolve correctly?
If it does, and you add split-dns value remotedomain.com does it now resolve correctly also?
08-07-2013 05:37 PM
No it makes no difference either way... Both NSLookup and Ping report the same errors as above, i have tried "Enabling Local Access..." on the AnyConnect client as well with no luck... Here is a dump of ipconfig /all with both configurations:
split-dns value none
C:\Users\administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CLIENTNAME
Primary Dns Suffix . . . . . . . : localdomain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : remotedomain.com
none
localdomain.com
.com
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : remotedomain.com
Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client V
irtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5532:3a5d:7c03:c6f5%13(Preferred)
Link-local IPv6 Address . . . . . : fe80::88d7:ad44:7a69:53f1%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.50.39(Preferred) < ASA ClientIPPool
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 301991322
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7A-87-1C-00-15-5D-01-0B-68
DNS Servers . . . . . . . . . . . : 172.16.30.10 < REMOTE DNS SERVER
172.16.30.11 < REMOTE DNS SERVER
Primary WINS Server . . . . . . . : 172.16.30.10 < REMOTE DNS SERVER
Secondary WINS Server . . . . . . : 172.16.30.11 < REMOTE DNS SERVER
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain.com
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter
Physical Address. . . . . . . . . : 00-15-5D-01-0B-68
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4114:47c3:b707:f0b4%11(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.1.1(Preferred) < Local IP Address
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, 7 August 2013 3:17:31 AM
Lease Expires . . . . . . . . . . : Thursday, 15 August 2013 3:17:32 AM
Default Gateway . . . . . . . . . : 172.16.1.254 < Local Gateway
DHCP Server . . . . . . . . . . . : 172.16.1.203 < Local DHCP Server
DHCPv6 IAID . . . . . . . . . . . : 234886493
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7A-87-1C-00-15-5D-01-0B-68
DNS Servers . . . . . . . . . . . : 172.16.1.221 < Local DNS Server
172.16.1.203 < Local DNS Server
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.localdomain.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : localdomain.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.remotedomain.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : remotedomain.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
split-dns value remotedomain.com
C:\Users\administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CLIENTNAME
Primary Dns Suffix . . . . . . . : localdomain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : remotedomain.com
remotedomain.com
localdomain.com
.com
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : remotedomain.com
Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client V
irtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::6d36:da82:8fed:8b5e%13(Preferred)
Link-local IPv6 Address . . . . . : fe80::88d7:ad44:7a69:53f1%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.50.39(Preferred) < ASA ClientIPPool
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 301991322
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7A-87-1C-00-15-5D-01-0B-68
DNS Servers . . . . . . . . . . . : 172.16.30.10 < Remote DNS Server
172.16.30.11 < Remote DNS Server
Primary WINS Server . . . . . . . : 172.16.30.10 < Remote DNS Server
Secondary WINS Server . . . . . . : 172.16.30.11 < Remote DNS Server
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain.com
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Ada
pter
Physical Address. . . . . . . . . : 00-15-5D-01-0B-68
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4114:47c3:b707:f0b4%11(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.1.1(Preferred) < Local IP Address
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, 7 August 2013 3:17:31 AM
Lease Expires . . . . . . . . . . : Thursday, 15 August 2013 3:17:32 AM
Default Gateway . . . . . . . . . : 172.16.1.254 < Local Gateway
DHCP Server . . . . . . . . . . . : 172.16.1.203 < Local DHCP Server
DHCPv6 IAID . . . . . . . . . . . : 234886493
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-7A-87-1C-00-15-5D-01-0B-68
DNS Servers . . . . . . . . . . . : 172.16.1.221 < Local DNS Server
172.16.1.203 < Local DNS Server
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.localdomain.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : localdomain.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.remotedomain.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : remotedomain.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Just confirming that when i say localdomain.com i am reffering to the clients domain, and when i say remotedomain.com i am reffering our domain that the client is remoting into...
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide