Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2969
Views
0
Helpful
6
Replies

Intermittent DNS issue over client vpn

sprocket10
Level 2
Level 2

‎08-07-2015 02:10 AM

 

We are having intermittent dns issues with clients connecting in remotely via Cisco VPN on their laptops to our ASA.

They can successfully create a tunnel, I can remote to their machines, they can ping and access 95% of the servers on the network using IP or DNS. So everything seems to be working. The issue is if they try to access or ping a system on the network using DNS that also has an external DNS record. The laptop is resolving the DNS name to the external IP rather than the internal IP. The problem is this is only happening to some people and if the affected users try the exact same thing from a different internet connection, then it works with no issue.

I thought I had tracked this issue to a certain ISP, but it isn't the case and seems to be affecting more and more users. This wasn't an issue a few months ago.

1 person had this problem
Labels:
0 Helpful
6 Replies 6

rizwanr74
Level 7
Level 7

‎08-12-2015 12:48 PM

Hi there,

 

"The laptop is resolving the DNS name to the external IP rather than the internal IP. "

Do you have split-dns enabled on your group-policy?

If you have not, then natually remote-vpn client machince will forward dns-lookup to remote ISP, instead of forwarding to your internal dns server for the given internal or external domain-names.

 

group-policy my-grp-policy attributes
 split-dns value  abc.com xyz.com whatever.com mydomain.com yourdomain.com

 

thanks

 

0 Helpful

sprocket10
Level 2
Level 2
In response to rizwanr74

‎08-13-2015 12:33 AM

In the group policy, under split tunneling, we have "Send All DNS Lookups Through Tunnel" already set to yes

0 Helpful

rizwanr74
Level 7
Level 7
In response to sprocket10

‎08-13-2015 07:28 AM

Well, if you haven't specified given domain names in the split-dns value, then the remote client will send those unspecified domain name lookup to remote ISP, therefore if you want xyz.com lookup come into the tunnel, then you must include it in the slipt-dns value.

0 Helpful

sprocket10
Level 2
Level 2
In response to rizwanr74

‎08-13-2015 08:49 AM

We already have this set.

As mentioned in the first post, this is an intermittent issue only affecting some users. It can work in some remote locations but not others. I do think its only happening with certain ISPs and has only been happening recently.

Has been working great for years.

0 Helpful

rizwanr74
Level 7
Level 7
In response to sprocket10

‎08-13-2015 10:38 AM

Do you have those public ip address permitted in the split-tunnel ACL as well?

0 Helpful

sprocket10
Level 2
Level 2

‎09-23-2015 03:22 AM

The issue turned out to be that the VPN network adaptor in windows needed moving to a higher priority. Not sure why it was working for all these users and then stopped working with certain ISPs only

0 Helpful
Customers Also Viewed These Support Documents