Showing results for 
Search instead for 
Did you mean: 

Easy VPN DNS issue

I have an ASA running as an EasyVPN endpoint and it's having DNS issues.

I provide the 5505 with 2 dns servers using Group Policy from the main server (5550) and it works just fine.  But, if I shut down the primary DNS server, it doesn't start using the secondary.  I can see traffic in the logs trying to use the first one.  I left the system off for a while to see if it was a time issue, but it never used the secondary DNS server. 

Any help would be great.  Thanks!

Jennifer Halim
Cisco Employee

When you are connected to the vpn client, do you see 2 dns servers being applied to the vpn client host?

Also what version of ASA are you running?

Are you able to resolve with the second dns manually if you use the nslookup command and point it to the second dns server?

I do see the two DNS servers in the ASA when it connects to the VPN.

We're using 8.4 on our 5505 and 8.2 on our 5550.

What the client has manually entered into it doesn't seem to matter because the ASA is redirecting it to the primary DNS server.  I will see the traffic coming from my client directed at whatever server I have set in the client as the correct DNS server, but it will only get replies from the Primary DNS server of the VPN tunnel.

For example...

The Windows 7 client has a DNS server of

The ASA is getting a DNS server of and

When I look at the traffic of an nslookup, I see traffic coming from my Windows 7 machine to and but I only get a response on my Windows 7 client if responds.  The response is getting dropped. 

When doesn't respond, DNS traffic is not sent to as I would expect.

The secondary dns server, has it been correctly configured?

From your example, it seems that they are in different subnets,  are they supposed to be in different subnet for primary and secondary  dns server?

Or what you have posted is just an example and the real dns server has been correctly configured?

Both.  What I posted was just using example IP addresses, but our real setup does have the primary and secondary DNS on different subnets by design.

While on the Easy VPN I can reach both the primary and secondary DNS Server via RDP or ping.  If I make the secondary DNS the primary, it works just fine for DNS.

Sounds like a bug to me. You may want to open a TAC case to get that further troubleshot and possibly identifying if it's a bug.

Recognize Your Peers
Content for Community-Ad