03-07-2011 08:27 PM
I am running into a strange situation with VPN DNS name resolution over ASA and VPN3000. Here are the details:
ASA5500
XP Client (IPsec) ----> or ----> CORP LAN ----> DNS1/DNS2
VPN3000 |
ExtraNet
/\
/ \
/ \
DNS3/DNS4 online1.company.com
VPN Environment
Site A - ASA 5500
Site B - VPN 3000
VPN Client
Cisco IPsec VPN Client
Windows XP
Client DNS Assigned through VPN Profile
DNS1 - 10.0.0.10
DNS2 - 11.0.0.10
Domain - corp.net
ExtraNet Hosted Application DNS
DNS3 - 172.21.0.1
DNS4 - 172.21.1.1
Application Host - online1.company.com
An XP Client connects through VPN, gets assigned DNS1/DNS2 servers and Domain. The XP Client runs an ExtraNet based application that has integrated DNS settings that perform DNS lookups to DNS3/DNS4 to resolve an application host "online1.company.com".
When the XP Client uses Site A - ASA5500 for VPN, the application fails. FW Logs show that the XP Client is actually making DNS calls to DNS1/DNS2 instead of the application assigned DNS3/DNS4, which resolve to an incorrect address for "online1.company.com". A Wireshark capture shows the XP Client is actually making the DNS request to DNS3/DNS4.
When the XP Client uses Site B - VPN3000 for VPN, the application works. Logs show that the XP Client is making DNS calls to DNS3/DNS4, which resolve to the correct address for "online1.company.com". A Wireshark capture verifies the XP Client is actually making the DNS request to DNS3/DNS4.
This can also be verified by performing "nslookups" from the XP Client while connected to Site A and Site B.
Does anyone know if there is a difference between the way the VPN3000 and the ASA5500 pass DNS requests? FW logs and Wireshark captures lead me to believe there is a difference. Even when I manually change the DNS server to use DNS3/DNS4 within nslookup, the ASA 5500still uses the DNS servers assigned to the TCP/IP stack.
Thanks,
Tim Hornbeck
04-19-2011 05:35 AM
For anyone else following this issue. A bug has been filed to address the fact that the ASA silently redirects a Directed DNS request, sent over the IPSec Remote Access VPN, to the group-policy configured DNS Server.
SCCto45855 - ASA: IPSec RA directed DNS requests sent to different server
If you are also experiencing an issue due to this behavior, please feel open a TAC case so that we can attach this bug and get greater visibility.
-Craig
UPDATE:
The issue was found to be that the IPSec client was actually not allowing the directed DNS request. It would enforce the use of the Group-Policy configured DNS server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide