DNS issue over VPN

rmessina · ‎07-26-2012

I'm having a hard time diagnosing an issue with DNS resolution across an IPSEC VPN. This setup was working at one time but now it's not. I have a 5505 with easyvpn connecting to a VPN concentrator (cisco 3000), and the workstation shows that DNS is set to my internal corp DNS server, the DNS server is pingable, I can even telnet across VPN to the internal DNS server on port 53, but it will not resolve anything. When I do an nslookup it times out. I don't understand what is causing the failure as this setup was working once before. I see the DNS UDP packets hitting the asa 5505 on the way out, but sniffing on the DNS server I never see the queries arrive. This issue is occuring to mulitple workstations all using the same config below in different regions. Both internal and external resolution are failing. Please assist. Thanks!

Example config on ASA 5505

hostname ASA5505

domain-name xxxxx

enable pass

passwd encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.11.113 255.255.255.240

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name xxxx

pager lines 24

logging enable

logging buffer-size 16000

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.0.0.0 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.11.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server communit xxxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.0.0 255.0.0.0 inside

telnet 192.168.11.0 255.255.255.0 inside

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 5

console timeout 30

management-access inside

dhcpd lease 86400

dhcpd domain xxxxx

dhcpd auto_config outside

dhcpd option 150 ip 10.20.20.11 10.20.20.12

!

dhcpd address 192.168.11.114-192.168.11.125 inside

dhcpd dns 10.20.16.4 10.20.16.3 interface inside

dhcpd domain xxxxx interface inside

dhcpd enable inside

!

vpnclient server xxxxx

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup HomeNetworkVPN password xxxxxx

vpnclient username xxxxx password xxxxxx

vpnclient enable

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.20.0.1 source inside prefer

webvpn

username xxxx passwordxxxxxx encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Javier Portuguez · ‎07-26-2012

Dear Randy,

Do you see the UDP 53 packets on the device directly connected to the server?

Where is the server, behind the ASA?

Thanks.

rmessina · ‎07-27-2012

I'll check the switch directly connected to the DNS server to see if there are DNS packets for the source IP in question. The server is behind the ASA.

rmessina · ‎07-27-2012

Another oddity... If I do an NSLOOKUP on the workstation that is behind the 5505 ASA I get DNS request timed out. If I use the server command to try and change the DNS server on the workstation to google's public DNS it fails as well. Seems as if the problem may be on the 5505ASA

Durga Prasad M.S · ‎07-27-2012

Pls check if your dns is working properly. Nslookup should work locally without error.

One reason might be that reverse dns is not working properly or might be mis configured.

Depending on your os you might have to open udp on port 53 as well.

Regards/dp

Sent from Cisco Technical Support Android App

Pls rate useful posts.

rmessina · ‎07-27-2012

DNS lookup works fine as soon as the 5505 is removed from the picture. Please elaborate on reverse dns and mis

rmessina · ‎07-27-2012

I cannot change my dns server to google's public dns of 8.8.8.8 while behind the firewall. As soon as I plug into my home router and bypass the firewall I can change to the public dns server and everything works fine. It seems as if the 5505 is blocking dns queries on the inside interface. Please help!

Javier Portuguez · ‎07-27-2012

Hi there

May I know why you have "dhcpd dns 10.20.16.4 10.20.16.3 interface inside" as your DNS servers?

Your LAN is 192.168.11.x, so can you ping the 10.20.16.4. IP or the 10.20.16.3?

Add the following:

logging buffered debugging

logging on

Then do a "nslookup", after this test check the "show log" output.

Also please do the following:

capture capin interface inside match udp 192.168.11.0 255.255.255.0 any eq 53

Then "show capture capin".

Let us know.

Thanks.

rmessina · ‎07-30-2012

I resolved the issue by creating a new group on the VPN concentrator and moving the asa's into the new group. The new group has the same exact configuration as the old group so I'm not sure why this fixed the issue. Thanks for everyone's help.

Javier Portuguez · ‎07-30-2012

I am glad to hear that.

Please mark this discussion as answered and rate any post that you found helpful

Take care.