cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16020
Views
0
Helpful
18
Replies

ASA VPN Client Cannot Resolve DNS

joe.ho
Beginner
Beginner

I am running ASA5510 IOS 8.2(1). The VPN client are getting correct DNS when I check with config /all. However in the command prompt nslookup it is using the ISP DNS server. We see this intermittent issue happening only on the Windows7 machine. The VPN client we tried are 5.0.07.0290 (64bit) and 5.0.07.0410 (32bit). Does any one encounter the same issue? Any idea how to resolve this?

18 Replies 18

Namit Agarwal
Cisco Employee
Cisco Employee

Hi,

You have mentioned that this issue only surfaces on Windows 7. Are you using WWAN card on the WIn 7 for internet access ?

Have you checked on XP as well ? Please paste a little part of the config showing what is the internal network behind the ASA and what is the remote VPN IP pool range, DNS servers values

Thanks,

Namit

Thanks for your respond.

So far I don't see any issue with XP. I just paste a portion of the config for you. If you need more info just let me know. Thanks.

interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.16.3.19 255.255.255.248 standby 172.16.3.21
!
interface Ethernet0/2
description LAN/STATE Failover Interface
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.314
vlan 314
nameif DMZ1
security-level 10
ip address 10.7.14.1 255.255.255.0 standby 10.7.14.2

!

access-list OUTSIDE extended permit tcp any host 38.110.64.16 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.17 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.18 eq 3101
access-list OUTSIDE extended permit tcp any host 38.110.64.19 eq www
access-list OUTSIDE extended permit tcp any host 38.110.64.21 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.22 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.9 eq 5061
access-list OUTSIDE extended permit tcp any host 38.110.64.9 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.10 eq https
access-list OUTSIDE extended permit udp any host 38.110.64.10 eq 3478
access-list OUTSIDE extended permit tcp any host 38.110.64.10 range 50000 59000
access-list OUTSIDE extended permit udp any host 38.110.64.10 range 50000 59000
access-list OUTSIDE extended permit tcp any host 38.110.64.11 eq https
access-list OUTSIDE extended permit udp any host 38.110.64.15 eq tftp
access-list OUTSIDE extended permit tcp any host 38.110.64.25 eq https
access-list OUTSIDE extended permit tcp object-group MESSAGELABS host 38.110.64.25 eq smtp
access-list OUTSIDE extended permit tcp any host 38.110.64.26 eq https
access-list OUTSIDE extended permit tcp object-group MESSAGELABS host 38.110.64.26 eq smtp
access-list dpmvpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list dpmvpn_splitTunnelAcl standard permit 172.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.7.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 10.7.0.0 255.255.255.0

!

ip local pool TOR_ASA_IP_POOL 10.7.0.1-10.7.0.254 mask 255.255.255.0

!

group-policy dpmvpn internal
group-policy dpmvpn attributes
dns-server value 10.7.7.10 10.7.7.13
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dpmvpn_splitTunnelAcl
default-domain value dpm.domain
!
tunnel-group dpmvpn type remote-access
tunnel-group dpmvpn general-attributes
address-pool TOR_ASA_IP_POOL
authentication-server-group DPMLDAP LOCAL
default-group-policy dpmvpn

Hi ,

So you are not able to access the internal hosts behind the ASA using names. Are you able to reach the internal network using IP Address ?

Thanks,

Namit

Hi,

Please paste your NAT configuration also.

Thanks,

Namit

Oh yes I forgot to paste that.

nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 38.110.64.16 10.7.7.8 netmask 255.255.255.255
static (inside,outside) 38.110.64.17 10.7.7.3 netmask 255.255.255.255
static (inside,outside) 38.110.64.18 10.7.7.6 netmask 255.255.255.255
static (inside,outside) 38.110.64.19 10.7.7.12 netmask 255.255.255.255
static (inside,outside) 38.110.64.21 10.7.7.19 netmask 255.255.255.255
static (inside,outside) 38.110.64.22 10.7.7.18 netmask 255.255.255.255
static (DMZ1,outside) 38.110.64.9 10.7.14.9 netmask 255.255.255.255
static (DMZ1,outside) 38.110.64.10 10.7.14.10 netmask 255.255.255.255
static (DMZ1,outside) 38.110.64.11 10.7.14.11 netmask 255.255.255.255
static (inside,outside) 38.110.64.15 10.7.8.3 netmask 255.255.255.255
static (inside,outside) 38.110.64.25 10.7.7.70 netmask 255.255.255.255
static (inside,outside) 38.110.64.26 10.7.7.17 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DMZ1_access_in in interface DMZ1
route outside 0.0.0.0 0.0.0.0 38.110.64.1 1
route inside 10.0.0.0 255.0.0.0 172.16.3.17 1
route inside 10.7.0.0 255.255.0.0 172.16.3.18 1
route inside 172.16.0.0 255.240.0.0 172.16.3.17 1

Hi,

Also I have asked earlier, are you using a WWAN Card ? Can we change the route route inside 10.0.0.0 255.0.0.0 172.16.3.17 1 and route inside 10.7.0.0 255.255.0.0 172.16.3.18 1 to a more specific route because it might conflict with the route for the remote access pool 10.7.0.0/24

Thanks,

Namit

Hi Namit,

I miss your question eariIier. I saw on the release note. The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards). Is the Bell stick that goes on the usb port on the laptop consider a WWAN device? The client are using that on their laptops.

I am not going to touch to route for now since it is working for other VPN clients.

Joe

Hi Joe,

Thanks for the update. Can you try pinging something or accessing on the internal network using IP Address instead of DNS so that we can rule out DNS being the issue ?

Thanks,

Namit

Hi ,

Please check the connection settings, does it connect to some cellular network. If yes, is there a way you can set it up as a Dial Up Connection ?

Thanks,

Namit

Hi Namit,

I tested the ping. IP address work so it is the DNS.

I think the Bell stick is using 3G. Here is the user guide. http://mobilebusiness.bell.ca/Assets/61adc7d02dfe4b9893ce2e41952de9aa_Bell-Mobile-Connect-User-Guide_English-Final.pdf

I am not able the test out on the dial connection. The customers is saying it is working now. I am thinking it could be the intermittent issue.

In the Cisco VPN client 5.0.07 release note says:

The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html#wp45722

If this is a known issue I will just leave it until the next VPN client release.

Thanks,

Joe

yes there are some issues on the wireless data cards,

WWAN are not supported for the IPSEC VPN Client if you are using windows
7, this because Windows 7 ntroduced a new adapter type called WWAN. The WWAN type bypasses NDIS
IM drivers, so our NDIS IM driver fails to receive packets that go in and out WWAN devices.


here is work around worth a try

We can try forcing some domains to resolve through the VPN tunnel, this can be done using split-dns. seen this work before

eg:


group-policy EXAMPLE attributes

  split-dns value cisco.com


see if this helps

Thanks for the explanation. I will need to do some research on split dns.

Hi Joe,


If IP address works then it has to be DNS issue. Since it is working with DNS also now it must have been an intermittent issue.


Yes this is a known issue. It might be fixed in the next release of the VPN Client. In your case even though you are using a 3G connection you are not being effected by this issue as per the following explanation.


Windows 7 introduced a new adapter type called WWAN. The traffic accepted by the NIC is controlled by an NDIS Miniport Driver. The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packetsthat go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.


The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband driver
(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the
 native Windows 7 Mobile Broadband driver.  

The reason the connection will work when setup as a Dial Up Connection or used as a USB Stick because it bypasses the limitation of NDIS drivers to
 connect to the internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize 

Hope that answers your query. If everything is ok please mark the post as answered. 

Thanks,

Namit 

Hi Namit,

I don't quite understand. You said it is a known issue but it doesn't effect me. I try to understand the explanation but it is beyond my knowledge.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers