cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
576273
Views
27
Helpful
18
Replies

The VPN connection failed due to unsuccessful domain name resolution

rflowers2126
Level 1
Level 1

I have a customer who is trying to connect to their SSL VPN via AnyConnect client. They have a Cisco ASA 5515x running ASA 8.6(1)2, using AnyConnect for windows 3.1.03103. They are on a  laptop that is running Windows 7.

When the attempt to connect they get the following error message:

The VPN connection failed due to unsuccessful domain name resolution

They never get to a login prompt. They have attempted to connect using the IP address of the Cisco ASA, as well as the Domain name pointing to the ASA.

They have other devices coming from the same location running win7 that have no problems connecting. I believe this is a client side, or client PC issue. Any advice would be appreciated.

Thanks!

18 Replies 18

Shannon Sutter
Level 1
Level 1

Same thing happening to one of my users.
Any ideas?

While I never had a specific answer to the root cause of this issue, the client ended up formatting the computer and reinstalling windows. They were then able to install and run cisco anyconnect.

I did not receive any further details from the client regarding this.

I just reinstalled the vpn client.  It works in the short term, but the problem will resurface again in a few weeks.

buzen2000
Level 1
Level 1

I beleive this is more of a client issue than  VPN server.

Specify the group-url in the tunnel-group command as shown below

tunnel-group your-tunnel webvpn-attributes
 group-url https://outside-interface-ip/extension enable

Use the specified url while connecting to the VPN (outside-interface-ip/extension)

Worked for me.

 

mlebiedzinski
Level 1
Level 1

We had this exact same problem and during troubleshooting we discovered that the anyconnect.xml file had become corrupted, meaning the format of the file was no longer usable by the VPN client. Connecting to another region (different set of VPN HEs) caused a new file to be downloaded, and then we were able to connect to the original HEs. We don't know why the anyconnect.xml file became corrupted, but this fixed the problem in all cases.

I'm an AnyConnect user, not the admin, and thus have no access to check whether there's an issue in the .xml or the proxy url.  However, I simply pointed to an alternative VPN gateway than my usual, which caused info for that gateway to be downloaded and that fixed my problem.  Thanks!

rflowers2126
Level 1
Level 1

Thank you Robert. If I encounter this issue again I will try that.

It's important to note that the AnyConnect client (at least in Windows) does not seem to trim any trailing spaces on the name either.  If you "pad" the name with an extra space it will fail.  To add to the fun, this hostname is saved through an uninstall/reinstall cycle (probably a registry entry?) so the only way to remove it is to notice that extra space and delete it manually - or re-enter the name from scratch and then wonder why it works when you just typed in the same (or so you think) FQDN as before.

Spot on I had this very problem today!

Pete

Luca Andreucci
Level 1
Level 1

I had this very same error message.

I found out that the AnyConnect service was configured on a non-standard port:

ASA# sh run webvpn
webvpn
 ! !!!!!!!!!!!!!!!!!!!
 port 444
 ! !!!!!!!!!!!!!!!!!!!
 enable outside

Adding ":444" to the connection URL obviously solved the issue.

kevin
Level 1
Level 1

Using Cisco AnyConnect Secure Mobility Client, v. 3.1.05152

It seems that any number of problems can lead to this error message.

This started happening to me on a Monday morning (Friday afternoon was working just fine).  

I opened up my profile XML file and found that the DNS name for the server that I regularly connect to had somehow become corrupted with a single extra, and duplicate, character added ("abc.defg.com" became "abc.defgg.com").

Hand editing the file to the correct name fixed the problem for me.  

Farhan Mohamed
Cisco Employee
Cisco Employee

While I never had a specific answer to the root cause of this issue, the client ended up formatting the computer and reinstalling windows. They were then able to install and run cisco anyconnect.

Reinstall the vpn client and reboot.

Hi 

 

I had this issue and it was caused by configuration on ASA.

There was a static port address translation of port 443 on ASA internet interface that was directed to some web interface on the internal network.

 

Changing the webvpn port to a different one solved the issue.

 

 

lewislampkin
Level 1
Level 1

I have confirmed a cause of the unsuccessful name resolution error message that is not as much a DNS issue as a configuration mis-match between preferences.xml and <profile-filename>.xml.

 

Steps to replicate this problem.
1. The end user successfully connects to a VPN gateway.
2. The name of the last connected gateway is copied to the <DefaultHostName> variable at "C:\Users\USERNAME\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\preferences.xml"
3. When the client opens the AnyConnect client, this <DefaultHostName> variable is populated as the default connection entry.

4. Problem introduced: The client computer receives an updated profile at "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\<profile-filename>.XML"
5. The updated profile does not contain an entry that matches the <DefaultHostName> variable.
6. The end user attempts to connect to the gateway name listed in the <DefaultHostName> variable.
7. The VPN connection fails due to unsuccessful domain name resolution.

 

Workaround:
The end user uses the drop-down, and selects a gateway from the list that is actually present within the <profile-filename>.xml

 

Possible fixes:
When updating the VPN profiles, default the preferences.xml file.
When updating the VPN profiles, retain the old names.