Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
168709
Views
37
Helpful
21
Replies

DNS Issues on Cisco Anyconnect Client

Go to solution
PNW Weer
Level 1
Level 1

‎09-09-2016 08:33 AM - edited ‎02-21-2020 08:58 PM

We are having strange issue with latest anyconnect client versions (4.3 and 4.2), please let me know if anyone is having  similar issues and known fixes.

Symptoms: User can't access web base applications and unable to resolve DNS.

Further investigations on client pc after connecting to VPN profile found out that  there is a static host route on the PC for one of the DNS server IP but pointing to local host IP ( not the VPN IP).

This host routes disappears once I disconnect from the VPN.  So I believe host tries to reach DNS sever over wrong address.

appreciate any help...

 

9 people had this problem
Labels:
21 Replies 21

Go to solution
Little Bunny
Level 1
Level 1
In response to Filipe Romano

‎10-11-2017 11:10 AM - edited ‎10-11-2017 11:17 AM

Hello

 

We are coming across the same issue in our environment. Please would someone clarify where the workaround commands need to be entered? Should it be added under the "DfltGrpPolicy" attributes and/or the individual Group Policies? From the layout of Filipe's answer it looks like it needs to be entered like this:
_________
group-policy DfltGrpPolicy attributes
  webvpn
     anyconnect-custom-attr no-dhcp-server-route
     anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true

 

group-policy <XXX> attributes ---> does this mean each individual group policy?
  anyconnect-custom no-dhcp-server-route value no-dhcp-server-route
_________

 

We have a lot of group policies so hoping it doesn't need to be added to all of them!

 

Also, Cisco have now created a bug for this - CSCuz27826

 

Thanks
LB

0 Helpful

Go to solution
Little Bunny
Level 1
Level 1
In response to Filipe Romano

‎10-11-2017 11:13 AM

Hello

 

We are coming across the same issue in our environment. Please would someone clarify where the workaround commands need to be entered? Should it be added under the "DfltGrpPolicy" attributes and/or the individual Group Policies? From the layout of Filipe's answer it looks like it needs to be entered like this:
_________
group-policy DfltGrpPolicy attributes
  webvpn
     anyconnect-custom-attr no-dhcp-server-route
     anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true

 

group-policy <XXX> attributes ---> does this mean each individual group policy?
  anyconnect-custom no-dhcp-server-route value no-dhcp-server-route
_________

 

We have a lot of group policies so hoping it doesn't need to be added to all of them!

 

Also, Cisco have now created a bug for this - CSCuz27826.

 

Thanks
LB

0 Helpful

Go to solution
Patrick Bixler
Level 4
Level 4
In response to Little Bunny

‎01-04-2019 11:21 AM

I ran across this issue today and had the same question about where exactly to enter the commands.  I opened a Cisco TAC case and was told the following.

 

The configuration should entered just like this:

 

ASA (config)# webvpn

ASA (config-webvpn)# anyconnect-custom-attr no-dhcp-server-route

ASA (config-webvpn)# anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true

Then on the group-policy that you are using to connect, just add the last command on the attribute parameters:

 

ASA (config)# group-policy XXXX attributes

ASA (config-group-policy)# anyconnect-custom no-dhcp-server-route value no-dhcp-server-route

 

To answer the previous question, yes, it does need to be entered of every group-policy that is having this issue.

 

I entered the commands as they appear above and it did resolve this issue. 

 

The previously mentioned Cisco BugID noted that this was fixed in version 4.3(3009) of the AnyConnect Client, however, I found it was still an issue in 4.4.00243 and with the ASA running version 9.4(4)5.  

 

The only change we know of is that we recently received updates to our Windows 7 devices.  Our updates are issued monthly.  We are not sure if there was something in one of the patches that broke this for previously installed AnyConnect clients.

0 Helpful

Go to solution
mercerdan
Level 1
Level 1
In response to Filipe Romano

‎08-17-2023 01:48 PM

for those of us who have no idea what config you are referring to... mind telling us WHERE to put that config?

0 Helpful

Go to solution
Shakti Kumar
Cisco Employee
Cisco Employee
In response to PNW Weer

‎09-16-2016 11:14 PM

Hey PNW Weer ,

Please share the Anyconnect version , ASA model and software version and the client operating system you are currently having issues with .

I will try and see if i can reproduce in my lab .

Thanks

Shakti

0 Helpful

Go to solution
PNW Weer
Level 1
Level 1
In response to Shakti Kumar

‎09-19-2016 02:44 AM

Hi Shakti

Thank you for your response, 

ASA model - 5520 

Software version - 8.4(7)30

Anyconnect version  - 4.3.02039

Windows  7

0 Helpful

Go to solution
Jason Denton
Level 1
Level 1

‎09-27-2016 10:12 AM

I am using the same version of anyconnect as you are and seeing the same results.  We updated from 3.1 to the latest 4.3 and DNS doesnt seem to work properly after the upgrade.  Also i have noticed that any machine thats been updated and reverted back to 3.1 still has the issue even after going back to 3.1...  Cisco I hope you have answers...?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents