cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
94810
Views
35
Helpful
20
Replies
PNW Weer
Beginner

DNS Issues on Cisco Anyconnect Client

We are having strange issue with latest anyconnect client versions (4.3 and 4.2), please let me know if anyone is having  similar issues and known fixes.

Symptoms: User can't access web base applications and unable to resolve DNS.

Further investigations on client pc after connecting to VPN profile found out that  there is a static host route on the PC for one of the DNS server IP but pointing to local host IP ( not the VPN IP).

This host routes disappears once I disconnect from the VPN.  So I believe host tries to reach DNS sever over wrong address.

appreciate any help...

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

I have spoken to Cisco and apparently this is a change of behaviour (meaning it will not be fixed). But from ASA 9.3 version onwards, you're now able to add the following to the config, as a workaround:

"

webvpn

anyconnect-custom-attr no-dhcp-server-route

anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true

group-policy XXXXXX attributes                ///Please use the group-policy you are using.

anyconnect-custom no-dhcp-server-route value no-dhcp-server-route

"

Give it a go and let me know ;)

Hope to have helped,

fLIP

View solution in original post

20 REPLIES 20
pjain2
Cisco Employee

please attach the anyconnect config from the headend and the dns server ip

Our DHCP IP and the DNS IP is same, what we found out was latest anyconnect clients put static routes to hosts pointing DHCP server towards local host IP. 

Therefore DNS requests don't send through tunnels. We are not allowed split tunneling, therefore  VPN clients unable to resolve domain names.

Any workaround for this?

thanks

Instead of using DHCP for address assignment, you could configure the ASA to use a local address pool. It doesn't have the capabilities of a DHCP server but it can allocate addresses to clients.

Hi Robert

Thank you for your comment, but the issue is anyconnect client assigns this route by using the DHCP server of physical host not the VPN client. unfortunately which is also our DNS server for VPN and non VPN clients.

There are several secure PCs use anyconnect to access secure domain over the corporate network. These users aren't coming from outside, tunnel initiate inside the corporate network. 

 

I'm not sure I understand. Are you saying the DHCP server local to the client, at their home for example, is the same as the DHCP/DNS server at your corporate office?

Hi Robert

We have secure domain within the corporate network and access this secure domain over the VPN tunnel.

thanks

Post the result of

'show run group-policy'

Pete

Vsec-ASA#show running-config group-policy
group-policy DfltGrpPolicy attributes
default-domain value XXXXX.co.uk
group-policy Vsec_VPN_Group internal
group-policy Vsec_VPN_Group attributes
wins-server value 172.18.0.214 172.18.0.215
dns-server value 172.18.0.214 172.18.0.215
vpn-tunnel-protocol ikev1 ssl-client
default-domain value XXXXX.co.uk
split-dns none
msie-proxy method no-proxy
group-policy 2FA_Vsec_VPN internal
group-policy 2FA_Vsec_VPN attributes
wins-server value 172.18.0.214 172.18.0.215
dns-server value 172.18.0.214 172.18.0.215
vpn-tunnel-protocol ikev1 ssl-client
default-domain value XXXXX.co.uk
split-dns none
Vsec-ASA#

I realize that this is an older post, but I don't suppose anyone found an answer to this issue? I am having the same problem now that we have moved to Anyconnect 4.4 and seeing the exact same issue.

Hi,

I have spoken to Cisco and apparently this is a change of behaviour (meaning it will not be fixed). But from ASA 9.3 version onwards, you're now able to add the following to the config, as a workaround:

"

webvpn

anyconnect-custom-attr no-dhcp-server-route

anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true

group-policy XXXXXX attributes                ///Please use the group-policy you are using.

anyconnect-custom no-dhcp-server-route value no-dhcp-server-route

"

Give it a go and let me know ;)

Hope to have helped,

fLIP

View solution in original post

Thanks for info, things are looking good so far with the affected users.

Hi,

Did Cisco give you a bug id?

Not a bug change in functionality.

Thanks.  This worked for us, but one side note.  I had to upgrade the AC client to a newer version.  The custom attribute workaround did not work with AC version 4.3.  In our case, I upgraded to ver 4.5.  so if you find that the workaround doesn't work at first, try upgrading the client.

Content for Community-Ad