The VPN connection failed due to unsuccessful domain name resolution

ER075 · ‎10-13-2021

We seem to have a number of users on the estate that end up with machines unable to connect to the system at all. Our first thought was to get them to try tethering off their phones which worked in some cases. But recently we had two users working on corporate laptops at the same house on the same connection, one getting "The VPN connection failed due to unsuccessful domain name resolution" when trying to connect and the other person can connect fine. They both have identical hardware, identical software (both on Cisco anyconnect 4.9) drivers have been checked. And the Anyconnect.xml is the same on both machine and has been crossed compared. It's all very strange and nothing has changed recently. The fact the other corporate has no issues connecting makes no sense at all. Have any of you guys seen any similar tales and figured out what was causing it?

Cheers appreciate any insight you guys can offer

balaji.bandi · ‎10-13-2021

This could be maybe provider ISP ? (is this for many users different ISP or only some users ?)

if the user getting DHCP from broadband router try to setup up static IP on end device test, i have seen this issue, once we make static IP it was working (maybe not in your case worth try)

still, issue take 1 or client get Wireshark to capture and check?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Milos_Jovanovic · ‎10-13-2021

Hi @ER075,

As it is stated in the message, most often the issue lies in DNS resolution of your VPN GW. Some guys are capapble of resolving it fine (and for them it iw working, as it should be), but others are not resolving it and are experiencing this issue.

At the time this issue happens, initial troubleshooting step should be testing of DNS resolution of your GW. Also, try with flushing DNS on those hosts, if DNS resolution works for other destinations (e.g. cisco.com). You could also do packet capture, and check DNS resolution packets, to confirm if client is able to resolve it correctly at the time of the issue.

In the mean time, you can go and check DNS records on all of your public DNS servers. What crosses my mind is that DNS record on one of them is not ok, and once users are reaching that one, they must experience the issue. Next time, or after some time, they use different DNS server, which resolves query correctly.

BR,

Milos

ER075 · ‎10-15-2021

Thanks Milos,

It seems to be something user profile side as we've since found out that if another user logs into the problem laptop that they don't get the issue and are able to connect to WiFi but when the original user logs back in they get the same fault and cannot connect to any WiFi networks through Anyconnect.

It's quite odd, I originally thought that perhaps a token of some kind was denying access as it might have been in a locked session.

It's a fault we see a lot of and none of the DART files reveal what is going on, a DNS flush on the device doesn't do anything either

Milos_Jovanovic · ‎10-16-2021

Hi @ER075,

If that is the case, and you already managed to pinpoint it to problematic user profile, then I would advise to take this to TAC case, as they are the only ones which can conclude why is this happening.

It would be great if you could share findings later, in order to help the community.

BR,

Milos