IP address resolves to two hostnames on CISCO ASA

Sharath K · ‎05-27-2022

We have configured configure local IP address pools on Cisco ASA but post disconnection AD is not deleting the entry.

This is something we have to inform AD or DNS server to delete the old entry or client ( laptop ) should inform AD/DNS server

MHM Cisco World · ‎05-27-2022

One idea I have to share
show vpn-sessiondb any connect
check the idle time out <- this is must not be infinite, I think that if this is infinite then from respect of ASA the client is still connect and not send message to AD.

Sharath K · ‎05-27-2022

I dont see the idle time out value in show vpn-sessiondb anyconnect but could see there was one session connected for almost seven days.

sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : 5415.xxx-internal.net
Index : 4437
Assigned IP : 10.163.xx.xx Public IP : 115.171.x.x
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1
Bytes Tx : 490994339 Bytes Rx : 299912798
Group Policy : xxAnyConnectPolicy
Login Time : 12:14:46 SGT Fri May 20 2022
Duration : 7d 8h:00m:44s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0aa33e8b01155000628715b6
Security Grp : none

Username : 4392.xxx-internal.net
Index : 4550
Assigned IP : 10.163.x.x Public IP : 116.36.x.x
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 45769038 Bytes Rx : 31846300
Group Policy : xxxAnyConnectPolicy
Login Time : 07:45:09 SGT Fri May 27 2022
Duration : 12h:30m:21s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0aa33e8b011c600062901105
Security Grp : none

As per the below blog client/laptop should send update to AD/DNS servers to remove the entry.

https://community.cisco.com/t5/vpn/vpn-client-not-updating-records-in-local-dns-server/td-p/3805872

Sharath K · ‎05-27-2022

Could see idle timeout is 30

group-policy AnyConnectPolicy internal
group-policy AnyConnectPolicy attributes
wins-server none
dns-server value 10.x.x.x 10.x.x.x
dhcp-network-scope 10.x.xx.xxx
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none

MHM Cisco World · ‎05-27-2022

Username : 5415.xxx-internal.net

Duration : 7d 8h:00m:44s <- are this user is active for all this time ??

in AD there is entry for <Username : 5415.xxx-internal.net>

try kill the any connect manually by

vpn-sessiondb logoff name <name>

see if the ASA send to AD to delete the entry.

Sharath K · ‎05-30-2022

We deleted manually on Cisco ASA VPN box but there is no changes on AD server could see entry is available.

Can you please let me know if cisco ASA responsible to inform AD for deletion or client/laptop needs to inform ?

Sharath K · ‎05-31-2022

Any update @MHM Cisco World

Rob Ingram · ‎05-31-2022

@Sharath K if you are using local IP pools on the ASA this is not going to update AD DNS.

If you used the windows DHCP server to assign IP address to VPN clients, this should update AD DNS.

Sharath K · ‎05-31-2022

@ Rob Ingram

Thank you for response!

We are using local IP pool in ASA, So the work station is responsible to update the AD DNS. Please find the below community blog which supports.

https://community.cisco.com/t5/vpn/vpn-client-not-updating-records-in-local-dns-server/td-p/3805872

Rob Ingram · ‎05-31-2022

@Sharath K so if it's possible, then it's the windows computer's resposibility to update DNS, which it seems is not doing so. The post you reference states "deploy group policy (GPO) to enforce workstation register and update its A and PTR record on DNS server." - have you configured the windows computer to update it's records on the DNS server?