Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
185461
Views
37
Helpful
21
Replies

DNS Issues on Cisco Anyconnect Client

Go to solution
PNW Weer
Level 1
Level 1

‎09-09-2016 08:33 AM - edited ‎02-21-2020 08:58 PM

We are having strange issue with latest anyconnect client versions (4.3 and 4.2), please let me know if anyone is having  similar issues and known fixes.

Symptoms: User can't access web base applications and unable to resolve DNS.

Further investigations on client pc after connecting to VPN profile found out that  there is a static host route on the PC for one of the DNS server IP but pointing to local host IP ( not the VPN IP).

This host routes disappears once I disconnect from the VPN.  So I believe host tries to reach DNS sever over wrong address.

appreciate any help...

 

10 people had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Filipe Romano
Level 1
Level 1
In response to jjenkins284

‎01-06-2017 06:37 AM

Hi,

I have spoken to Cisco and apparently this is a change of behaviour (meaning it will not be fixed). But from ASA 9.3 version onwards, you're now able to add the following to the config, as a workaround:

"

webvpn

anyconnect-custom-attr no-dhcp-server-route

anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true

group-policy XXXXXX attributes                ///Please use the group-policy you are using.

anyconnect-custom no-dhcp-server-route value no-dhcp-server-route

"

Give it a go and let me know ;)

Hope to have helped,

fLIP

View solution in original post

21 Replies 21

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎09-10-2016 06:34 PM

please attach the anyconnect config from the headend and the dns server ip

0 Helpful

Go to solution
PNW Weer
Level 1
Level 1
In response to pjain2

‎09-13-2016 09:13 AM

Our DHCP IP and the DNS IP is same, what we found out was latest anyconnect clients put static routes to hosts pointing DHCP server towards local host IP. 

Therefore DNS requests don't send through tunnels. We are not allowed split tunneling, therefore  VPN clients unable to resolve domain names.

Any workaround for this?

thanks

0 Helpful

Go to solution
Robert Falconer
Level 1
Level 1
In response to PNW Weer

‎09-15-2016 11:57 AM

Instead of using DHCP for address assignment, you could configure the ASA to use a local address pool. It doesn't have the capabilities of a DHCP server but it can allocate addresses to clients.

0 Helpful

Go to solution
PNW Weer
Level 1
Level 1
In response to Robert Falconer

‎09-15-2016 03:49 PM

Hi Robert

Thank you for your comment, but the issue is anyconnect client assigns this route by using the DHCP server of physical host not the VPN client. unfortunately which is also our DNS server for VPN and non VPN clients.

There are several secure PCs use anyconnect to access secure domain over the corporate network. These users aren't coming from outside, tunnel initiate inside the corporate network. 

 

0 Helpful

Go to solution
Robert Falconer
Level 1
Level 1
In response to PNW Weer

‎09-19-2016 10:52 AM

I'm not sure I understand. Are you saying the DHCP server local to the client, at their home for example, is the same as the DHCP/DNS server at your corporate office?

0 Helpful

Go to solution
PNW Weer
Level 1
Level 1
In response to Robert Falconer

‎09-22-2016 01:57 AM

Hi Robert

We have secure domain within the corporate network and access this secure domain over the VPN tunnel.

thanks

0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to PNW Weer

‎09-22-2016 08:41 AM

Post the result of

'show run group-policy'

Pete

0 Helpful

Go to solution
PNW Weer
Level 1
Level 1
In response to Peter Long

‎09-23-2016 03:50 AM

Vsec-ASA#show running-config group-policy
group-policy DfltGrpPolicy attributes
default-domain value XXXXX.co.uk
group-policy Vsec_VPN_Group internal
group-policy Vsec_VPN_Group attributes
wins-server value 172.18.0.214 172.18.0.215
dns-server value 172.18.0.214 172.18.0.215
vpn-tunnel-protocol ikev1 ssl-client
default-domain value XXXXX.co.uk
split-dns none
msie-proxy method no-proxy
group-policy 2FA_Vsec_VPN internal
group-policy 2FA_Vsec_VPN attributes
wins-server value 172.18.0.214 172.18.0.215
dns-server value 172.18.0.214 172.18.0.215
vpn-tunnel-protocol ikev1 ssl-client
default-domain value XXXXX.co.uk
split-dns none
Vsec-ASA#

0 Helpful

Go to solution
jjenkins284
Level 1
Level 1
In response to PNW Weer

‎01-06-2017 06:21 AM

I realize that this is an older post, but I don't suppose anyone found an answer to this issue? I am having the same problem now that we have moved to Anyconnect 4.4 and seeing the exact same issue.

0 Helpful

Go to solution
Filipe Romano
Level 1
Level 1
In response to jjenkins284

‎01-06-2017 06:37 AM

Hi,

I have spoken to Cisco and apparently this is a change of behaviour (meaning it will not be fixed). But from ASA 9.3 version onwards, you're now able to add the following to the config, as a workaround:

"

webvpn

anyconnect-custom-attr no-dhcp-server-route

anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true

group-policy XXXXXX attributes                ///Please use the group-policy you are using.

anyconnect-custom no-dhcp-server-route value no-dhcp-server-route

"

Give it a go and let me know ;)

Hope to have helped,

fLIP

Go to solution
jjenkins284
Level 1
Level 1
In response to Filipe Romano

‎01-06-2017 09:13 AM

Thanks for info, things are looking good so far with the affected users.

0 Helpful

Go to solution
Julius Thor Bess Rikhardsson
Level 1
Level 1
In response to Filipe Romano

‎05-04-2017 11:26 AM

Hi,

Did Cisco give you a bug id?

0 Helpful

Go to solution
jjenkins284
Level 1
Level 1
In response to Julius Thor Bess Rikhardsson

‎05-04-2017 01:21 PM

Not a bug change in functionality.

0 Helpful

Go to solution
blong
Level 1
Level 1
In response to Filipe Romano

‎09-12-2017 04:21 AM

Thanks.  This worked for us, but one side note.  I had to upgrade the AC client to a newer version.  The custom attribute workaround did not work with AC version 4.3.  In our case, I upgraded to ver 4.5.  so if you find that the workaround doesn't work at first, try upgrading the client.

Customers Also Viewed These Support Documents
Top