Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2021
Views
5
Helpful
1
Replies

Difference Between VPN Client DNS Resolution - ASA5500 vs. VPN3000

Timothy Hornbeck
Level 1
Level 1

‎03-07-2011 08:27 PM

I am running into a strange situation with VPN DNS name resolution over ASA and VPN3000.  Here are the details:

                                 ASA5500

XP Client (IPsec) ---->       or      ----> CORP LAN ----> DNS1/DNS2

                                 VPN3000               |

                                                        ExtraNet

                                                             /\

                                                            /  \

                                                           /    \

                                          DNS3/DNS4     online1.company.com

VPN Environment

Site A - ASA 5500

Site B - VPN 3000

VPN Client

Cisco IPsec VPN Client

Windows XP

Client DNS Assigned through VPN Profile

DNS1 - 10.0.0.10

DNS2 - 11.0.0.10

Domain - corp.net

ExtraNet Hosted Application DNS

DNS3 - 172.21.0.1

DNS4 - 172.21.1.1

Application Host - online1.company.com

An XP Client connects through VPN, gets assigned DNS1/DNS2 servers and Domain.  The XP Client runs an ExtraNet based application that has integrated DNS settings that perform DNS lookups to DNS3/DNS4 to resolve an application host "online1.company.com".

When the XP Client uses Site A - ASA5500 for VPN, the application fails.  FW Logs show that the XP Client is actually making DNS calls to DNS1/DNS2 instead of the application assigned DNS3/DNS4, which resolve to an incorrect address for "online1.company.com".  A Wireshark capture shows the XP Client is actually making the DNS request to DNS3/DNS4.

When the XP Client uses Site B - VPN3000 for VPN, the application works.  Logs show that the XP Client is making DNS calls to DNS3/DNS4, which resolve to the correct address for "online1.company.com".  A Wireshark capture verifies the XP Client is actually making the DNS request to DNS3/DNS4.

This can also be verified by performing "nslookups" from the XP Client while connected to Site A and Site B.

Does anyone know if there is a difference between the way the VPN3000 and the ASA5500 pass DNS requests?  FW logs and Wireshark captures lead me to believe there is a difference. Even when I manually change the DNS server to use DNS3/DNS4 within nslookup, the ASA 5500

still uses the DNS servers assigned to the TCP/IP stack.

Thanks,

Tim Hornbeck

Labels:
0 Helpful
1 Reply 1

Craig Lorentzen
Cisco Employee
Cisco Employee

‎04-19-2011 05:35 AM

For anyone else following this issue.  A bug has been filed to address the fact that the ASA silently redirects a Directed DNS request, sent over the IPSec Remote Access VPN, to the group-policy configured DNS Server.

SCCto45855 - ASA: IPSec RA directed DNS requests sent to different server

If you are also experiencing an issue due to this behavior, please feel open a TAC case so that we can attach this bug and get greater visibility.

-Craig

UPDATE:

The issue was found to be that the IPSec client was actually not allowing the directed DNS request.  It would enforce the use of the Group-Policy configured DNS server.

Customers Also Viewed These Support Documents