12-28-2015 04:50 AM
Hello Everyone,
We're facing one issue related with Split-tunneling. Our VPN profile has split tunnel enabled with only allowed networks to be entered through tunnel and internet traffic is going locally. Now this is working fine almost for 90% of user but some users are unable to access the internet when they connected to VPN.Intranet is working fine. Below are some observations from affected user's machine:
1. When try to ping any public FQDN (E.g. google.com) it doesn't get resolved but when i try to ping with IP address it works.
2. Most users are accessing VPN from home internet connection who are on WiFi networks typically 192.168.1.0/24 network.
3. This issue is only faced by some users, other users who also connect to VPN via home WiFi can successfully access both internet & intranet.
4. Route print from users machine shows default gateway towards WiFi router (192.168.1.1 or private IP). DNS is also the same.
5. Took a packet capture from users machine on both AnyConnect adapter & WiFi adapter. After analyzing the captures it has been seen that public DNS queries are not seen in the capture which was ran on WiFi adapter.
Any guess what could be the problem?
Any help will be appreciated.
Thank You.
Regards,
Gaurav
Solved! Go to Solution.
01-26-2016 11:09 AM
Gaurav,
Have you tried disabling the IPv6 option under the physical adapter?
01-29-2016 08:58 AM
Hi Gaurav,
Have you tried the following command under the group-pollicy:
client-bypass-protocol enable
This should fix the problem without disabling the IPv6 feature on the adapter.
12-28-2015 06:59 AM
Hello.
First. From you information there is really a very high chanse that this is a DNS issue.
Second. Could you check by "nslookup" comand at the WinOS command line what DNS server it tryes to use for resolving IP address? What shows traceroute to DNS server (that shows by "nslookup")?
Third. Do you have a rule at your VPN connection to use your office DNS server?
Best Regards.
12-28-2015 09:57 PM
Thanks for the response AllertGen.
Yes this seems to be DNS issue but what causing this? And why only some users are affected and others are not...Any idea?
nslookup shows internal DNS server for resolving both intranet & internet sites which looks strange. For traceroute, will check once i got a access to affected user's machine.
Yes we have rule defined under VPN profile to use office DNS & WINS for intranet queries.
12-28-2015 10:27 PM
to clarify the users that have problems can get to the Internet ok when NOT using the VPN,
Are the users having problems have the same type of device/OS?
if windows clients can you do a "ipconfig /all" before vpn is activated and after vpn activated.
thanks
12-28-2015 10:34 PM
It would be good to use "route print" comand too before and after VPN connection.
Best Regards.
01-03-2016 10:17 PM
01-29-2016 07:01 AM
Hi.
Sorry for a long response.
I see a strange case at your configuration:
DNS Servers . . . . . . . . . . . : 10.55.52.20 172.16.1.20
and there is no route to this network:
10.55.48.0 255.255.248.0 10.55.51.1 10.55.51.116 2 10.55.51.0 255.255.255.128 On-link 10.55.51.116 257 10.55.51.116 255.255.255.255 On-link 10.55.51.116 257 10.55.51.127 255.255.255.255 On-link 10.55.51.116 257
.........................
172.16.0.0 255.240.0.0 10.55.51.1 10.55.51.116 2
And in the same time you can get access to DNS by ICMP requests:
>ping 10.55.52.20 Pinging 10.55.52.20 with 32 bytes of data: Reply from 10.55.52.20: bytes=32 time=34ms TTL=127
There is 3 DNS servers that your OS can try for resolving a DNS name:
10.55.52.20
172.16.1.86
192.168.1.1
It is also possible to have a problem with access to 2 first DNS servers. Better to check VPN Firewall for it.
Also can you provide an output of command "nslookup [FQDN]" at the time of the problem?
Best Regards.
01-31-2016 10:20 PM
AllertGen Correct me if I'm wrong but 10.55.52.20 (DNS Server) comes under subnet 10.55.48.0/21 i.e 255.255.248.0. The last host in this subnet is 10.55.55.254.
For IP 172.16.1.86, this is a internal web host & not a DNS server. 192.168.1.1 is a default gateway & could be used as a NBNS for wireless users at home.
01-31-2016 10:46 PM
Hi.
Yes, you're right. My bad. I didn't looked at the netmask.
So need to check output of nslookup [fqdn] (for example fqdn can be www.google.com) command at the time of the problem.
About the 172.16.1.20. This server inside of DNS servers in the AnyConnect interface:
DNS Servers . . . . . . . . . . . : 10.55.52.20 172.16.1.20
So your client could use this IP for resolving DNS names. If it's not a DNS server at you internal network you need to change settings of the VPN connection at your network device.
And about 192.168.1.1. VPN adapter DNS settingses usually prefered at the Windows. But if DNS servers of VPN failed Windows should try to use DNS of the Wi-Fi adapter. And as I think it doesn't happens.
Best Regards.
01-22-2016 03:09 PM
You are describing the exact same problem I have!
Did you make any progress on the troubleshooting you may want to share?
I'm pretty sure that this is a OS problem (Win7) because all users use the same config but only a few have the problems described. In our case it even happens that the problem does not occur on cable nic but on the WLAN interface.
01-22-2016 11:51 PM
Thanks Walter for your attention. Yes, it could be OS problem but couldn't understand why it causing to only few users. We haven't observed same issue on cable nic yet. The problem is we could not reproduce this issue in lab environment where we can conclude what could be the problem.
What are the troubleshooting steps done by you on this issue?
01-26-2016 08:29 AM
as you already wrote in your intro, we also found that the resolver is not working properly:
ping google.de NOT OK, but ping 8.8.8.8 is ok
changing the DNS server for the WLAN NIC to 8.8.8.8 could 'solve' the problem.
No other troubleshooting steps were done - currently we work with Cisco to solve the problem.
01-26-2016 11:55 PM
Thanks Sebastian, fanatic1217 & Walter for your responses.
wobergehrer Yes, it works when we put manual DNS entry as public DNS. When i ran packet capture i see all name queries to be resolved using NBNS (NetBIOS Name Service) towards access point's IP and there is no DNS packets seen in that capture. Appreciate if you us know if you get any solution from TAC. I think this issue is faced by so many users & probably issue seems to be because of NBNS queries. You can google it.
sevelez Yes will check by disabling IPv6 under wireless adapter. This below issue seems to be similar http://superuser.com/questions/629559/why-is-my-computer-suddenly-using-nbns-instead-of-dns.
Thanks Again..!!
02-12-2016 04:00 AM
sevelez I've tried disabling the IPv6 and this seems to be working. What could be problem & why it is working after disabling the IPv6? Is this issue similar to this one? https://supportforums.cisco.com/discussion/11310176/anyconnect-disables-native-ipv6-when-connected
Appreciate if you elaborate. Thanks...!!!
01-26-2016 10:29 AM
We had this issue as well. We had been using split tunneling for a long time and after our IOS Upgrade, the internet would work for some users and not others. I tried troubleshooting for about 2-3 weeks on/off but was unable to determine the solution even with the help of CISCO TAC. I decided that we shouldn't be using split-tunnel anyway and disabled the feature. We are better off security-wise without it, but I definitely believe that it was IOS related bug.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: