02-01-2019 07:52 AM - edited 02-21-2020 09:33 PM
Connected AnyConnect clients are sending the DNS queries to their physical interface address DNS servers, not the internal DNS via the tunnel.
Anyconnect Client shows the DNS servers as secured route.
Clients can successfully ping to dns servers across the tunnel.
SPLITTUNNEL-ACL is a standard access list with the 172.16.0.0/12 private space
NAT statement is the same 172.16.0.0/12 internal to the ASA IP Pool of the client.
Other than DNS, the AnyConnect is fully functional.
Group Policy:
group-policy <name> attributes
dns-server value internaldns1 internaldns2
vpn-idle-timeout 60
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL-ACL
default-domain value <userdomain>
split-dns value externaldomain <userdomain> <userdomain2> <userdomain3>
webvpn
anyconnect ssl dtls enable
url-entry enable
I am kind of at a loss, it has to be something easy, but I'm not seeing it. I've tested multiple client types, so this isn't a host issue.
ASA Version: 9.10.x
AnyConnect: 4.7.00136
02-01-2019 09:33 AM
I figured out the cause. We are also rolling out Umbrella, basic configuration for dnscrypt and system tagging was done on the policy map: preset_dns_map. I'm guessing it was intercepting the DNS requests and sending them to Umbrella... I pulled the preset_dns_map out of the inspect list, and whatdoyouknow, proper resolution on the client.
I'll have to read more about how internal vs. external lookups are supposed to work when umbrella is attached.
02-01-2019 12:45 PM
look at the below document will help you.
please advise if not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide