Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6966
Views
0
Helpful
6
Replies

Dynamic DNS registration not working over anyconnect VPN Client

ashu-aggarwal-160
Level 1
Level 1

‎04-09-2020 07:29 AM

Hello All

 

Looking for some suggestion on below issue, We are currently experiencing issue with DNS registration over any connect VPN. Whenever a user connects to VPN, his local host is not getting dynamically registered on the DNS server.

 

I believe this registration happens during the tunnel negotiation and local host sends DNS registration as part of DHCP request. We have DHCP pool defined on the gateway itself, Not sure if the VPN gateway will forward the DNS registration request to DNS server ?

 

Please let me know if you have any questions on the configuration.

6 people had this problem
Labels:
0 Helpful
6 Replies 6

Cristian Matei
VIP Alumni
VIP Alumni

‎04-09-2020 09:05 AM

Hi,

 

    If your ANyConnect clients get IP addresses from a Windows based DHCP service, the server should be configured to dynamically update DNS records on behalf of the DHCP clients.

 

Regards,

Cristian Matei.

0 Helpful

ashu-aggarwal-160
Level 1
Level 1
In response to Cristian Matei

‎04-09-2020 09:40 AM

Are you suggesting to use a separate DHCP server instead of using internal pool on the ASA itself ? Is there any config we can apply on ASA to fix this issue ?
0 Helpful

DrewM6934
Level 1
Level 1
In response to ashu-aggarwal-160

‎11-16-2020 12:06 PM

I've seen this same problem in every environment that I've working over the last 15 years or so, but I've never been able to find any good Internet Articles to help fix the issue. It would seem like MS and Cisco would come out with a simple way to make Dynamic DNS Updates work when using an ASA or FTD as the DHCP Source Pool. I certainly would NOT want to set my AnyConnect or S2S VPN Clients to pull DHCP from a separate Windows Server behind an ASA or FTD, cause if the Network ever has problems and that MS DHCP Server goes down or becomes inaccessible then you're not going to be able to VPN in at all (unless someone knows better?). 

 

If anyone has an Answer of how to make AnyConnect VPN Clients update an MS DDNS Server without pulling IP Addresses from an MS DHCP Server PLEASE let us know! My current environment has over 80 Site-to-Site ASA to FTD VPN Tunnels, as well as hundreds over AnyConnect VPN Clients. All of the VPN S2S Locations get their DHCP from their local ASA, as we CANNOT have those locations unable to use their Local Networks if the VPN Connection goes down for any reason (this would cause HUGE Human Safety Issues for our Business). As well, putting a Windows Server out at those Locations to maintain is not an option either, as many of these Sites don't even have Power after hours, not to mention the Licensing and Administrative Overhead.  As well, it would really help administratively to be able to ping -a any of these VPN Client IPs to easily track down issues. Or even just resolve their forward lookup Names to IPs for Administration purposes. Using Windows DHCP is just absolutely NOT an option for our type of Business, period!

 

Again, if anyone knows how to make Windows Clients dynamically update their Windows DNS Servers WITHOUT using Windows DHCP, PLEASE let us know!

0 Helpful

sean.torgerson@doj.state.or.us
Level 1
Level 1

‎04-13-2021 10:52 AM

I know its an older thread, but did anyone ever figure this out?  

0 Helpful

DrewM6934
Level 1
Level 1
In response to sean.torgerson@doj.state.or.us

‎04-13-2021 11:43 AM

Unfortunately, I haven't seen any replies to this thread, nor have I found any answers yet. Please let me know if you have better luck than I have. God speed!
0 Helpful

Tom974
Level 1
Level 1

‎03-25-2022 06:18 PM

There are a couple different points here. First off, dynamic DNS update on Windows computers is on by default and is controlled by the checkbox "Register this connection's addresses in DNS" (Network connections/IPv4 Advanced TCP/IP settings of the NIC/DNS tab). This behavior is completely independent from the ASA. I suggest reading the following MS resource for an in-depth explanation: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003#:~:text=Click%20Start%2C%20point%20to%20Administrative,clients%20that%20support%20dynamic%20update.

 

In our environment we assign VPN IPs with the ASA local pools as well. Once the computer is connected to the VPN it sends a request to dynamically update the A record with the ASA-assigned IP to the primary DNS server as described in the link above. I suggest verifying that the checkbox above is ticked (which it is by default) and that nothing on the DNS server side prevents the update to happen (maybe some weird permission issue).

I would also ensure there is no VPN filter in the group-policy preventing communication with the DNS servers. For instance, I have seen in the past a VPN filter with an ACL only allowing access to limited corporate resources but the DNS servers explicitly allowed on the filter were Umbrella on-prem appliances which act as a conditional forwarder and are not integrated with AD, hence they cannot register dynamic DNS updates.

 

As a side note, if the VPN headend is configured to assign an IP from a Windows DHCP server on the inside, the dynamic DNS update is a little different as the workflow includes the DHCP server.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents