Interesting article but I don't think it applies to my problem.  I did some more testing from home last night and it appears to be a NETBIOS name resolution problem.  I can't resolve the name over the VPN tunnel.  I can see where it tries but for some reason the request is not getting to the WINS server and I can see in the packet trace where it falls back to broadcasting.  I also used nbtstat -a and got the same result (no host found).  If I add the entry to my local LMHOSTS file then I can use the name to connect to the share.  I also confirmed that if I use the IP address of the host (\\\) that I can connect.

I checked the AnyConnect settings in the firewall and the IP block has the DNS and WINS server addresses.  I also looked at the adapter on my home machine and it has the correct WINS server addresses.

Any thoughts?

Brad

Are you using the FQDN of the server name or the short WINS version?

If you're using the WINS name instead of the FQDN, then it might be trying to ask your local DNS servers how to get to those destinations. With the FQDN, the VPN client should be able to recognize those as belonging to its domain and send to the VPN'd DNS server instead of letting it go to the default DNS servers for your interface.

I have tried both and neither works.  I have to use the IP address of the destination before it will show me any shares on the server.

I think first I would test DNS resolution and confirm if that's the problem. That will lower the scope of your investigations quickly. Just try to ping one of the servers by name and see if it resolves.

It sounds like you're missing your DNS entries on your VPN tunnel setup. This should be passed on from the group policy assigned to your remote access (at least in an ASA that's how it works.) That way, your computer can do DNS resolution to your VPN'd DNS servers. Here's a typical setup from one of my ASAs...

group-policy remote_policy attributes
 wins-server value 10.1.1.5
 dns-server value 10.0.0.18 10.1.1.5
 vpn-simultaneous-logins 100
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SplitTun
 default-domain value mycompany.local
tunnel-group VPN-Remote type remote-access
tunnel-group VPN-Remote general-attributes
 address-pool vpn_pool
 default-group-policy remote_policy

Now that's from an ASA, and it's for the standard Cisco VPN. I don't think it's different for AnyConnect? From the release notes, it sounds like it's important to specify your domain name with the group policy so that AnyConnect does the DNS correctly...

From the AnyConnect release notes:

===========================================================

In-the-Clear DNS Queries Allowed with Split Tunneling Enabled

If the group policy on the security appliance enables split tunneling  and if it specifies the DNS names to be tunneled, AnyConnect tunnels any  DNS queries that match those names to the private DNS server. If the  private DNS server cannot resolve the host name, AnyConnect lets the DNS  resolver on the client OS submit the host name in the clear for DNS  resolution.

On the other hand, if a DNS query does not match one of the DNS names  specified in the group policy, AnyConnect lets the DNS resolver on the  client OS submit the host name in the clear for DNS resolution.

AnyConnect tunnels all DNS queries if the group policy does not specify any domains to be tunneled.

This feature requires that you:

•Configure at least one DNS server

•Enable split-tunneling

•Specify at least one domain to be tunneled

At first I would have thought the same.  However I have the proper DNS and WINS servers defined in the ASA and I have verified them on the remote machine via ipconfig /all.  I also found a technical article on cisco that gave several troubleshooting steps.  The main one was to ping by IP, NetBios name and FQDN.  I have also confirmed that I can ping an internal IP address, an internal NetBios name and the FQDN.  I even made sure that I picked 3 different servers so that all the addresses would be different.  Below is the section of my config that shows the DNS and WINS server addresses.

group-policy DfltGrpPolicy attributes

wins-server value 192.168.200.17 192.168.200.19

dns-server value 192.168.200.17 192.168.200.19

default-domain value automationtool.com

I have used nbtstat -a and it will not resolve.

Another strange thing is that I can go into network neighborhood and see all the servers and workstations on the network but if I try to double click on one of them I can see any of the shares on the machine.