Re: Split DNS not working

Eric Wan · ‎09-06-2017

Hi,

I have two tunnels, Tunnel1 setup before and is working well. Tunnel2 was set recently, ping internal host is OK, but can not ping hostname. I have config split DNS as the first one, I don't know why the second is not working? Could anyone give some help?

Thanks

group-policy Tunnel2 internal
group-policy Tunnel2 attributes
wins-server value 10.15.15.25
dns-server value 10.15.15.25
vpn-tunnel-protocol ikev1 ikev2
password-storage disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value esmtunel_splitTunnelAcl
default-domain value localdomain.int
split-dns value localdomain.int
address-pools value ippool1

group-policy Tunel1 internal
group-policy Tunel1 attributes
wins-server value 10.15.15.25
dns-server value 10.15.15.25
vpn-tunnel-protocol ikev1 ikev2
password-storage disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value esmtunel_splitTunnelAcl
default-domain value localdomain.int
split-dns value localdomain.int
address-pools value ippool2

Flavio Miranda · ‎09-06-2017

Hello,

From where you are trying to resolve name?
As per your explanation, you have a DNS server behind firewall. Then, you have a tunnel with one machine in the end and this machine you can ping by IP and name. Then you setup a new machine, different tunnel. You are able to ping that machine but you cannot ping by using name from the same place? Or are you ping from one machine to another machine through different tunnels?

I just trying to make a picture of your environment.

Does you DNS is configured correctly? I mean this machine have a new IP range.
Cause, tunnel looks ok, you need to make sure that the environment is ok as well.

Eric Wan · ‎09-06-2017

Hi Flavio,

Thanks for your reply.

We have two ISP(A and B) access interface on ASA. We have used IP address from A ISP to setup a remote access VPN(Tunnel1) on our ASA5512, It's working well.

For backup, I try to setup another remote access VPN with IP address from B ISP. I think the tunnel2 is ok as I am able to log in from VPN Client and ping the IP of the internal machine, but I cannot ping the name of the same machine.

Regards

Eric

Flavio Miranda · ‎09-06-2017

When you stablish the VPN tunnel all traffic goes through VPN or internet access goes to local link?

Any change the machine is trying to use the local DNS server and not the DNS server provided by VPN tunnel.

You could force the machine using VPN DNS by issueing the command:

nslookup <enter>

Server 10.15.15.25 <enter>

machine_hostname <enter>

Eric Wan · ‎09-06-2017

Hi Flavio

Yes, I have tracert internal and internet IP, internal traffic goes through VPN tunnel and internet access goes to local link.

It seems the force command doesn't work. I attached the screenshot.

Flavio Miranda · ‎09-06-2017

If you put a capture on the interface where the DNS server is connected, do you see any DNS request flying by coming from that machine?

I believe you must compared both tunnel already but as one othe them is not working, something may went unnoticed.

Eric Wan · ‎09-06-2017

I used Wireshark to capture the traffic on my laptop, no DNS request traffic to tunnel2.

Flavio Miranda · ‎09-06-2017

If I were you I would put a capture on ASA and show logs there. I´m skeptical when it comes to VPN tunnel and sniffers.