09-09-2016 08:33 AM - edited 02-21-2020 08:58 PM
We are having strange issue with latest anyconnect client versions (4.3 and 4.2), please let me know if anyone is having similar issues and known fixes.
Symptoms: User can't access web base applications and unable to resolve DNS.
Further investigations on client pc after connecting to VPN profile found out that there is a static host route on the PC for one of the DNS server IP but pointing to local host IP ( not the VPN IP).
This host routes disappears once I disconnect from the VPN. So I believe host tries to reach DNS sever over wrong address.
appreciate any help...
Solved! Go to Solution.
10-11-2017 11:10 AM - edited 10-11-2017 11:17 AM
Hello
We are coming across the same issue in our environment. Please would someone clarify where the workaround commands need to be entered? Should it be added under the "DfltGrpPolicy" attributes and/or the individual Group Policies? From the layout of Filipe's answer it looks like it needs to be entered like this:
_________
group-policy DfltGrpPolicy attributes
webvpn
anyconnect-custom-attr no-dhcp-server-route
anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true
group-policy <XXX> attributes ---> does this mean each individual group policy?
anyconnect-custom no-dhcp-server-route value no-dhcp-server-route
_________
We have a lot of group policies so hoping it doesn't need to be added to all of them!
Also, Cisco have now created a bug for this - CSCuz27826
Thanks
LB
10-11-2017 11:13 AM
Hello
We are coming across the same issue in our environment. Please would someone clarify where the workaround commands need to be entered? Should it be added under the "DfltGrpPolicy" attributes and/or the individual Group Policies? From the layout of Filipe's answer it looks like it needs to be entered like this:
_________
group-policy DfltGrpPolicy attributes
webvpn
anyconnect-custom-attr no-dhcp-server-route
anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true
group-policy <XXX> attributes ---> does this mean each individual group policy?
anyconnect-custom no-dhcp-server-route value no-dhcp-server-route
_________
We have a lot of group policies so hoping it doesn't need to be added to all of them!
Also, Cisco have now created a bug for this - CSCuz27826.
Thanks
LB
01-04-2019 11:21 AM
I ran across this issue today and had the same question about where exactly to enter the commands. I opened a Cisco TAC case and was told the following.
The configuration should entered just like this:
ASA (config)# webvpn
ASA (config-webvpn)# anyconnect-custom-attr no-dhcp-server-route
ASA (config-webvpn)# anyconnect-custom-data no-dhcp-server-route no-dhcp-server-route true
Then on the group-policy that you are using to connect, just add the last command on the attribute parameters:
ASA (config)# group-policy XXXX attributes
ASA (config-group-policy)# anyconnect-custom no-dhcp-server-route value no-dhcp-server-route
To answer the previous question, yes, it does need to be entered of every group-policy that is having this issue.
I entered the commands as they appear above and it did resolve this issue.
The previously mentioned Cisco BugID noted that this was fixed in version 4.3(3009) of the AnyConnect Client, however, I found it was still an issue in 4.4.00243 and with the ASA running version 9.4(4)5.
The only change we know of is that we recently received updates to our Windows 7 devices. Our updates are issued monthly. We are not sure if there was something in one of the patches that broke this for previously installed AnyConnect clients.
08-17-2023 01:48 PM
for those of us who have no idea what config you are referring to... mind telling us WHERE to put that config?
09-16-2016 11:14 PM
Hey PNW Weer ,
Please share the Anyconnect version , ASA model and software version and the client operating system you are currently having issues with .
I will try and see if i can reproduce in my lab .
Thanks
Shakti
09-19-2016 02:44 AM
Hi Shakti
Thank you for your response,
ASA model - 5520
Software version - 8.4(7)30
Anyconnect version - 4.3.02039
Windows 7
09-27-2016 10:12 AM
I am using the same version of anyconnect as you are and seeing the same results. We updated from 3.1 to the latest 4.3 and DNS doesnt seem to work properly after the upgrade. Also i have noticed that any machine thats been updated and reverted back to 3.1 still has the issue even after going back to 3.1... Cisco I hope you have answers...?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide