cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
20207
Views
0
Helpful
6
Replies

Problem connecting to network drives over VPN

Brad Overstreet
Level 1
Level 1

We have an ASA 5510 and have recently made the move from the Cisco VPN client to the AnyConnect client (version 3.0.3054).  I can make the VPN connection, I can ping any host on the LAN (by IP address, NetBIOS name, and FQDN).  I can also make a remote desktop connection to all my servers.  However when I try to access a mapped network drive or connect to a share using UNC I get an error saying that the network path was not found.

My remote computer is an older laptop running Windows XP SP3 with all the latest patches applied.  Any help with this would be greatly appreciated.

Brad

6 Replies 6

lgijssel
Level 9
Level 9

Please check the info in the link below. It may be related to your problem and solutions are provided also.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Alternative:

http://www.cisco.com/en/US/partner/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

(CCO login required.)

regards,

Leo

Interesting article but I don't think it applies to my problem.  I did some more testing from home last night and it appears to be a NETBIOS name resolution problem.  I can't resolve the name over the VPN tunnel.  I can see where it tries but for some reason the request is not getting to the WINS server and I can see in the packet trace where it falls back to broadcasting.  I also used nbtstat -a and got the same result (no host found).  If I add the entry to my local LMHOSTS file then I can use the name to connect to the share.  I also confirmed that if I use the IP address of the host (\\\) that I can connect.

I checked the AnyConnect settings in the firewall and the IP block has the DNS and WINS server addresses.  I also looked at the adapter on my home machine and it has the correct WINS server addresses.

Any thoughts?

Brad

Are you using the FQDN of the server name or the short WINS version?

If you're using the WINS name instead of the FQDN, then it might be trying to ask your local DNS servers how to get to those destinations. With the FQDN, the VPN client should be able to recognize those as belonging to its domain and send to the VPN'd DNS server instead of letting it go to the default DNS servers for your interface.

I have tried both and neither works.  I have to use the IP address of the destination before it will show me any shares on the server.

I think first I would test DNS resolution and confirm if that's the problem. That will lower the scope of your investigations quickly. Just try to ping one of the servers by name and see if it resolves.

It sounds like you're missing your DNS entries on your VPN tunnel setup. This should be passed on from the group policy assigned to your remote access (at least in an ASA that's how it works.) That way, your computer can do DNS resolution to your VPN'd DNS servers. Here's a typical setup from one of my ASAs...

group-policy remote_policy attributes

wins-server value 10.1.1.5

dns-server value 10.0.0.18 10.1.1.5

vpn-simultaneous-logins 100

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SplitTun

default-domain value mycompany.local

tunnel-group VPN-Remote type remote-access

tunnel-group VPN-Remote general-attributes

address-pool vpn_pool

default-group-policy remote_policy

Now that's from an ASA, and it's for the standard Cisco VPN. I don't think it's different for AnyConnect? From the release notes, it sounds like it's important to specify your domain name with the group policy so that AnyConnect does the DNS correctly...

From the AnyConnect release notes:

===========================================================

In-the-Clear DNS Queries Allowed with Split Tunneling Enabled

If the group policy on the security appliance enables split tunneling  and if it specifies the DNS names to be tunneled, AnyConnect tunnels any  DNS queries that match those names to the private DNS server. If the  private DNS server cannot resolve the host name, AnyConnect lets the DNS  resolver on the client OS submit the host name in the clear for DNS  resolution.

On the other hand, if a DNS query does not match one of the DNS names  specified in the group policy, AnyConnect lets the DNS resolver on the  client OS submit the host name in the clear for DNS resolution.

AnyConnect tunnels all DNS queries if the group policy does not specify any domains to be tunneled.

This feature requires that you:

Configure at least one DNS server

Enable split-tunneling

Specify at least one domain to be tunneled

At first I would have thought the same.  However I have the proper DNS and WINS servers defined in the ASA and I have verified them on the remote machine via ipconfig /all.  I also found a technical article on cisco that gave several troubleshooting steps.  The main one was to ping by IP, NetBios name and FQDN.  I have also confirmed that I can ping an internal IP address, an internal NetBios name and the FQDN.  I even made sure that I picked 3 different servers so that all the addresses would be different.  Below is the section of my config that shows the DNS and WINS server addresses.

group-policy DfltGrpPolicy attributes

wins-server value 192.168.200.17 192.168.200.19

dns-server value 192.168.200.17 192.168.200.19

default-domain value automationtool.com

I have used nbtstat -a and it will not resolve.

Another strange thing is that I can go into network neighborhood and see all the servers and workstations on the network but if I try to double click on one of them I can see any of the shares on the machine.