Solved: No Internet Access With Split-Tunneling Enabled

Gaurav Kawale · ‎12-28-2015

Hello Everyone,

We're facing one issue related with Split-tunneling. Our VPN profile has split tunnel enabled with only allowed networks to be entered through tunnel and internet traffic is going locally. Now this is working fine almost for 90% of user but some users are unable to access the internet when they connected to VPN.Intranet is working fine. Below are some observations from affected user's machine:

1. When try to ping any public FQDN (E.g. google.com) it doesn't get resolved but when i try to ping with IP address it works.

2. Most users are accessing VPN from home internet connection who are on WiFi networks typically 192.168.1.0/24 network.

3. This issue is only faced by some users, other users who also connect to VPN via home WiFi can successfully access both internet & intranet.

4. Route print from users machine shows default gateway towards WiFi router (192.168.1.1 or private IP). DNS is also the same.

5. Took a packet capture from users machine on both AnyConnect adapter & WiFi adapter. After analyzing the captures it has been seen that public DNS queries are not seen in the capture which was ran on WiFi adapter.

Any guess what could be the problem?

Any help will be appreciated.

Thank You.

Regards,

Gaurav

Sebastian Velez · ‎01-26-2016

Gaurav,

Have you tried disabling the IPv6 option under the physical adapter?

View solution in original post

Sebastian Velez · ‎01-29-2016

Hi Gaurav,

Have you tried the following command under the group-pollicy:

client-bypass-protocol enable

This should fix the problem without disabling the IPv6 feature on the adapter.

View solution in original post

AllertGen · ‎12-28-2015

Hello.

First. From you information there is really a very high chanse that this is a DNS issue.

Second. Could you check by "nslookup" comand at the WinOS command line what DNS server it tryes to use for resolving IP address? What shows traceroute to DNS server (that shows by "nslookup")?

Third. Do you have a rule at your VPN connection to use your office DNS server?

Best Regards.

Gaurav Kawale · ‎12-28-2015

Thanks for the response AllertGen.

Yes this seems to be DNS issue but what causing this? And why only some users are affected and others are not...Any idea?

nslookup shows internal DNS server for resolving both intranet & internet sites which looks strange. For traceroute, will check once i got a access to affected user's machine.

Yes we have rule defined under VPN profile to use office DNS & WINS for intranet queries.

Richard Bradfield · ‎12-28-2015

to clarify the users that have problems can get to the Internet ok when NOT using the VPN,

Are the users having problems have the same type of device/OS?

if windows clients can you do a "ipconfig /all" before vpn is activated and after vpn activated.

thanks

AllertGen · ‎12-28-2015

It would be good to use "route print" comand too before and after VPN connection.

Best Regards.

Gaurav Kawale · ‎01-03-2016

I have attached the required output to this thread.

Let me know what is your observation on this.

Thank You..

AllertGen · ‎01-29-2016

Hi.

Sorry for a long response.

I see a strange case at your configuration:

   DNS Servers . . . . . . . . . . . : 10.55.52.20
                                       172.16.1.20

and there is no route to this network:

       10.55.48.0    255.255.248.0       10.55.51.1     10.55.51.116      2
       10.55.51.0  255.255.255.128         On-link      10.55.51.116    257
     10.55.51.116  255.255.255.255         On-link      10.55.51.116    257
     10.55.51.127  255.255.255.255         On-link      10.55.51.116    257

.........................

       172.16.0.0      255.240.0.0       10.55.51.1     10.55.51.116      2

And in the same time you can get access to DNS by ICMP requests:

>ping 10.55.52.20

Pinging 10.55.52.20 with 32 bytes of data:
Reply from 10.55.52.20: bytes=32 time=34ms TTL=127

There is 3 DNS servers that your OS can try for resolving a DNS name:

10.55.52.20
172.16.1.86
192.168.1.1

It is also possible to have a problem with access to 2 first DNS servers. Better to check VPN Firewall for it.

Also can you provide an output of command "nslookup [FQDN]" at the time of the problem?

Best Regards.

Gaurav Kawale · ‎01-31-2016

AllertGen Correct me if I'm wrong but 10.55.52.20 (DNS Server) comes under subnet 10.55.48.0/21 i.e 255.255.248.0. The last host in this subnet is 10.55.55.254.

For IP 172.16.1.86, this is a internal web host & not a DNS server. 192.168.1.1 is a default gateway & could be used as a NBNS for wireless users at home.

AllertGen · ‎01-31-2016

Hi.

Yes, you're right. My bad. I didn't looked at the netmask.

So need to check output of nslookup [fqdn] (for example fqdn can be www.google.com) command at the time of the problem.

About the 172.16.1.20. This server inside of DNS servers in the AnyConnect interface:

   DNS Servers . . . . . . . . . . . : 10.55.52.20
                                       172.16.1.20

So your client could use this IP for resolving DNS names. If it's not a DNS server at you internal network you need to change settings of the VPN connection at your network device.

And about 192.168.1.1. VPN adapter DNS settingses usually prefered at the Windows. But if DNS servers of VPN failed Windows should try to use DNS of the Wi-Fi adapter. And as I think it doesn't happens.

Best Regards.

Walter Obergehrer · ‎01-22-2016

You are describing the exact same problem I have!

Did you make any progress on the troubleshooting you may want to share?

I'm pretty sure that this is a OS problem (Win7) because all users use the same config but only a few have the problems described. In our case it even happens that the problem does not occur on cable nic but on the WLAN interface.

Gaurav Kawale · ‎01-22-2016

Thanks Walter for your attention. Yes, it could be OS problem but couldn't understand why it causing to only few users. We haven't observed same issue on cable nic yet. The problem is we could not reproduce this issue in lab environment where we can conclude what could be the problem.

What are the troubleshooting steps done by you on this issue?

Walter Obergehrer · ‎01-26-2016

as you already wrote in your intro, we also found that the resolver is not working properly:
ping google.de NOT OK, but ping 8.8.8.8 is ok
changing the DNS server for the WLAN NIC to 8.8.8.8 could 'solve' the problem.
No other troubleshooting steps were done - currently we work with Cisco to solve the problem.

Gaurav Kawale · ‎01-26-2016

Thanks Sebastian, fanatic1217 & Walter for your responses.

wobergehrer Yes, it works when we put manual DNS entry as public DNS. When i ran packet capture i see all name queries to be resolved using NBNS (NetBIOS Name Service) towards access point's IP and there is no DNS packets seen in that capture. Appreciate if you us know if you get any solution from TAC. I think this issue is faced by so many users & probably issue seems to be because of NBNS queries. You can google it.

sevelez Yes will check by disabling IPv6 under wireless adapter. This below issue seems to be similar http://superuser.com/questions/629559/why-is-my-computer-suddenly-using-nbns-instead-of-dns.

Thanks Again..!!

Gaurav Kawale · ‎02-12-2016

sevelez I've tried disabling the IPv6 and this seems to be working. What could be problem & why it is working after disabling the IPv6? Is this issue similar to this one? https://supportforums.cisco.com/discussion/11310176/anyconnect-disables-native-ipv6-when-connected

Appreciate if you elaborate. Thanks...!!!

fanatic1217 · ‎01-26-2016

We had this issue as well. We had been using split tunneling for a long time and after our IOS Upgrade, the internet would work for some users and not others. I tried troubleshooting for about 2-3 weeks on/off but was unable to determine the solution even with the help of CISCO TAC. I decided that we shouldn't be using split-tunnel anyway and disabled the feature. We are better off security-wise without it, but I definitely believe that it was IOS related bug.