Re: Problems Accessing Sites Outside Tunnel On VPN

s1nsp4wn · ‎02-05-2021

Ok here's a strange one I'd like assistance on if you've seen this...

We use the dynamic exclusion split tunnel custom attribute so that users, once connected to AnyConnect SSL VPN, can get to a handful of websites using their own internet like Zoom and Youtube and not go over our tunnel. We've run into an issue where a Mac Catalina user can't access anything outside the tunnel. i.e. Pages in the exclusion list won't load when he's on this VPN getting the split tunnel custom attribute.

We uses a wireless router and we have yet to test whether or not this still happens when directly wired, but things we've tried:

-Enabling client protocol bypass on his group policy
-Checking if he can DNS resolve these sites, ping them, traceroute them, and load them via IP address (he can resolve and trace to these sites, loading them in browsers don't work, but pinging them returns a weird error 'Communication Prohibited by Filter')
-We've sent numerous DARTS to TAC and the only issue we agree on seeing is that the vpn adapter seems to be attempting to install local routes outside the tunnel that have already been installed upon connection
-We noticed the subnet user gets put on is 192.168.4.x which isn't unheard of, but seems specific to Eero. I'd expect 192.168.1.x to be typical, but either way the router/IPS would nat this

Anyone else come across issues accessing sites outside the VPN tunnel? This happens on all versions of AnyConnect 4.6, 4.7, and 4.9 we've tried.

I've seen another similar post here but the solution was to use client bypass protocol which didn't work for me. We have hundreds of other Mac users not having this problem on AC versions all the way up to 4.9 so I'm out of ideas.

MHM Cisco World · ‎02-05-2021

anyconnect tunnel all dns

s1nsp4wn · ‎02-08-2021

This would have to be enabled the group policy level no? Gonna be a hard sell on enabling a setting for everyone to help one person. Also, would that defeat the purpose of split tunnel by having a corporate DNS server respond to what should be an external query? I could be wrong.

MHM Cisco World · ‎02-08-2021

Mac OSx is different than the Windows
Windows support the per-interface DNS
Mac OSx is global DNS

So if you want to use
ASA DNS for local domain and
other DNS for other traffic "internet"

we can use Split-DNS, this make ASA domain only reply to domain request and other request will refuse and make Mac OSx direct request to DNS.

I suggest tunnel-all-dns because I suppose you use ASA DNS as resolver for all DNS require.

this work only if you use IPv4 and there is no IPv6

if you use both IPv4 and IPv6 then you need to config for both IPv.

Note:- the config is done under group-policy

s1nsp4wn · ‎02-09-2021

Split-DNS seems like a good step though again, I'm hesitant to perform a global change over one user. Is there a more direct way to do this?

tunnel-all-dns I'm not a fan of for similar reasons but moreso the fact that there's no fallback i.e. if ASA dns is unreachable, this person won't be able to use local dns.

MHM Cisco World · ‎02-11-2021

let try this solution in Mac OS
System preference > network > advanced > DNS

then change the order,

s1nsp4wn · ‎02-25-2021

For my own clarification, if the AnyConnect client sends DNS queries to the DNS server (internal) assigned to the VPN group policy, at what point would it check the local DNS records above? Wouldn't that only be if it failed to hear from the internal ones? We tunnel everything including queries. I'll get back to you when user can change DNS locally.