Cisco Anyconnect - Registering 2 Adapters on DNS Server

garybrophy · ‎07-27-2023

Hi,

I am wondering if anyone has encountered this problem and has come up with a fix for it that worked.

Anyconnect is setup for full tunneling.

Home WiFi Adatper Address - 192.168.1.10

Anyconnect pool - 10.10.10.0/24

When users sign in from home both adapters get registered in the DNS server as A Records. This causes issues due to the round robin nature of the A record. the hostname responds with either address and we need it to respond with the Anyconnect address 100% of the time

A record - LaptopName - 192.168.1.10

A record - LaptopName - 10.10.10.1

I am aware of the option on the physical adapters "register this connections address in DNS". If this is unticked it will work for us but the issue is that its very hard to push this out via Group Policy as so many of the laptops have different adapter names and we have a lot of remote workers.

I did log a call with Cisco to see if there is anything that can be configured on the Anyconnect Client or the Firewall itself but they say there is not. They also labbed it up themselves to see if they can replicate the issue but they say the cannot. This is leading them to believe this could be a setting on the DNS server itself

So long shot here but has anyone encountered this problem before and have a resolution?

Thanks

MHM Cisco World · ‎07-27-2023

You push the local DNS server via group-policy to anyconnect

And then config asa to ddns anyconnect host to it local dns server ?

garybrophy · ‎07-27-2023

thanks for the engagement but I am not really following what you mean

2 on prem DCs (DNS servers) - these IP addresses are pushed out to the anyconnect client when they connect in.

and then on the DCs (DNS servers) the 2 adapter addresses get registered as A records.

and just to clarify users at home have absolutely no issues when they connect in. DNS resolution works fine

the issues arise when users in the office or other anyconnect users try to talk to the hostname of an anyconnect user. if the IP address returned is the anyconnect pool address everything works perfectly. If its the home wifi adapter address that is where the issues occur.

hope that makes sense

MHM Cisco World · ‎07-27-2023

Ok' it work when you out and when in site not work'

The dns a recorder add anyconnect with same domain? Can you push diffeernt domain via asa to anyconnect.

Whne you out' the external DNS not know domain so the anyconnect fialover to local DNS' in site both local dns and external dns can resolve the name since both know the domain.

garybrophy · ‎07-27-2023

I think you might be missing what I am saying here - from the Anyconnect home users position there is no issues with the DNS domain or failover to the local DNS servers. Everything works fine. DNS servers are picked up correct as the on prem DNS servers and all works. When the users connect in via anyconnect 2 host A records are created on the DNS server for the machine (see attached) and that is what the issue is

so if a user in the office and tires to ping the hostname of the anyconnect user machine (4276L) they can get either address returned from the DNS server. if its the home wifi adapter address that is returned it wont work. we need the dns server to always respond with the anyconnect address

from the screen shot
172.19.23.150 is the anyconnect address
192.168.0.142 is the wifi adapter address

I am looking for a way to prevent the wifi adapter from registering on the DNS server