Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13909
Views
25
Helpful
1
Replies

Cisco ASA Split-DNS With Some IPv6 Clients Not Working

Go to solution
rfranzke
Level 1
Level 1

‎01-12-2018 07:24 AM - edited ‎03-12-2019 04:54 AM

Greetings all. So I have an issue with the Split-DNS feature over Anyconnect SSL client based VPN. Running Anyconnect 4.3 with ASA code 9.6(3)1. We use both the split-tunneling and split-dns features to selectively direct network and dns queries to our remote DNS servers and networks. This works fine for most of our users. We are not yet using IPv6 over our VPN setups because we still have too many legacy devices on our network which do not support IPv6 fully.

Some of my users have been experiencing an issue where Split-dns is not working for them. Lookups for names sent over the tunnel using split-dns work fine, but any lookups not sent over the tunnel fail. Meaning that a lookup of host.internaldomain.com work fine, but a lookup of www.google.com would fail. If they disconnect from the VPN, Internet resolution works for them. As a work around I have them disable IPv6 on their network adapter, and then the split-dns feature works perfectly. With IPv6 enabled on their end, split-dns feature stops working. I run IPv6 on my home network and do not have any issues with the split-dns feature and therefore cannot reproduce their problem. When looking at my anyconnect client, I see the following in the information section:

 

Cisco AnyConnect Secure Mobility Client 4.3.03086
(Fri Jan 12 08:57:58 2018)

Connection Information
Tunnel Mode (IPv4): Split Include
Tunnel Mode (IPv6): Drop All Traffic

 

What I am wondering is if because our clients are using "Drop All Traffic" for IPv6, when the trouble users machines try and do lookups outside the tunnel, they use an IPv6 DNS server as configured by their ISP, and because the VPN tunnel is set to drop all IPv6 traffic, the lookup never works because it gets dropped. You can see here in my Windows IPCONFIG output that I have an IPv6 DNS server listed as one of my local resolvers:

 

DNS Servers . . . . . . . . . . . : 2001:470:X:X::X
172.16.0.20
172.16.0.21

 

But when I do Internet lookups (lookups outside the tunnel) it works fine with my IPv6 config. Is there some sort of config in the splitdns feature to not do anything with IPv6 name lookups over the tunnel? Any idea on what I have wrong here? I really am not sure why disabling IPv6 on their client machines would have any affect but it does.

 

Here is my config for split DNS:

group-policy colo-anyconnect-ras attributes
wins-server none
dns-server value 10.20.20.105 10.20.20.106
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value colo-ras-split-tunnel
default-domain value internaldomain.int
split-dns value domain.com internaldomain.int domain2.com
split-tunnel-all-dns disable
address-pools value colo-ras

 

Any help is much appreciated. Thanks.

5 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
rfranzke
Level 1
Level 1

‎04-11-2018 01:20 PM

I got this to work following this thread:

 

https://supportforums.cisco.com/t5/vpn/anyconnect-disables-native-ipv6-when-connected/td-p/1748824

 

The last post from Fabian L did the trick. This issue for me was that Split-DNS was working, but using IPv6 for doing lookups for IPv6 hosts outside the tunnel. Anyconnect was simply dropping those packets instead of splitting them out because IPv6 was not enabled in the Anyconnect client. I added IPv6 split tunneling using a bogus IPv6 IP block. This allows the Anyconnect connection to know what IPv6 traffic to split out so that the client can make normal local IPv6 DNS queries and thus allow IPv6 connectivity for IPv6 split tunnel clients. Keeps the Anyconnect client from just dropping all IPv6 traffic which would be needed for clients using native IPv6 with their ISPs. Here are the relevant config additions for reference:

 

group-policy colo-anyconnect-ras attributes

ipv6-split-tunnel-policy tunnelspecified
split-tunnel-network-list value colo-ras-split-tunnel

split-dns value domain.com
split-tunnel-all-dns disable
address-pools value colo-ras
ipv6-address-pools value colo-ras-ipv6

ipv6 local pool colo-ras-ipv6 <ipv6 Address Block Goes Here>/80 100

access-list colo-ras-split-tunnel extended permit ip <IPv6 Address Block/80

 

So this has the effect of allowing IPv6 traffic to selectively traverse the Anyconnect tunnel based on the access list colo-ras-split-tunnel. Now I don't need IPv6 traffic over the tunnel at all, but since I am specifying what should go over it, this has the side affect of telling Anyconnect what traffic should NOT go over it. Anyconnect then splits the traffic out for IPv6 lookups to the Internet for the Anyconnect clients which use native IPv6. Anyway its all figured out. Hope this helps someone else with the same issue.

View solution in original post

1 Reply 1

Go to solution
rfranzke
Level 1
Level 1

‎04-11-2018 01:20 PM

I got this to work following this thread:

 

https://supportforums.cisco.com/t5/vpn/anyconnect-disables-native-ipv6-when-connected/td-p/1748824

 

The last post from Fabian L did the trick. This issue for me was that Split-DNS was working, but using IPv6 for doing lookups for IPv6 hosts outside the tunnel. Anyconnect was simply dropping those packets instead of splitting them out because IPv6 was not enabled in the Anyconnect client. I added IPv6 split tunneling using a bogus IPv6 IP block. This allows the Anyconnect connection to know what IPv6 traffic to split out so that the client can make normal local IPv6 DNS queries and thus allow IPv6 connectivity for IPv6 split tunnel clients. Keeps the Anyconnect client from just dropping all IPv6 traffic which would be needed for clients using native IPv6 with their ISPs. Here are the relevant config additions for reference:

 

group-policy colo-anyconnect-ras attributes

ipv6-split-tunnel-policy tunnelspecified
split-tunnel-network-list value colo-ras-split-tunnel

split-dns value domain.com
split-tunnel-all-dns disable
address-pools value colo-ras
ipv6-address-pools value colo-ras-ipv6

ipv6 local pool colo-ras-ipv6 <ipv6 Address Block Goes Here>/80 100

access-list colo-ras-split-tunnel extended permit ip <IPv6 Address Block/80

 

So this has the effect of allowing IPv6 traffic to selectively traverse the Anyconnect tunnel based on the access list colo-ras-split-tunnel. Now I don't need IPv6 traffic over the tunnel at all, but since I am specifying what should go over it, this has the side affect of telling Anyconnect what traffic should NOT go over it. Anyconnect then splits the traffic out for IPv6 lookups to the Internet for the Anyconnect clients which use native IPv6. Anyway its all figured out. Hope this helps someone else with the same issue.

Customers Also Viewed These Support Documents