Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
1
Replies

VPN clients not receiving DNS info.

Dunkitando
Level 1
Level 1

‎01-21-2019 07:08 AM - edited ‎01-21-2019 07:24 AM

Hello,

 

Recently we transitioned VPN authentication off our old ACS to our new ISE server.  Now however, VPN clients do not receive DNS settings when they connect, resulting in many internal services being unreachable for users.

 

The decision was made to apply DNS via an ISE authorisation profile.  Clients connect via anyconnect to our ASA (5585) which authenticates against ISE.  The ASA then receives two authorisation profiles:

 

"Outside-VPN" contains the access_accept and the class value (for application of tunnel/ACLs on ASA)

"Outside-VPN-DNS" which contains the DNS advanced attribute settings:

 

Cisco-VPN3000:CVPN3000/ASA/PIX7x-Primary-DNS = (DNS ip 1)

Cisco-VPN3000:CVPN3000/ASA/PIX7x-Secondary-DNS = (DNS ip 2)

Cisco-VPN3000:CVPN3000/ASA/PIX7x-Simultaneous-Logins = 3

 

The problem is these DNS settings are never applied to the clients, is there a setting on the ASA I am missing?  I'm relatively new to ISE, and I'm just in the middle of my CCNA, if there's any details I've missed please let me know.

 

Any assistance would be welcome.

 

Thanks!

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎01-21-2019 07:41 AM

Hi,
I don't have a chance to confirm, but in my notes I have the following av-pair:-

cisco-av-pair = ipsec:dns-servers=xxx.xxx.xxx.xxx

HTH
0 Helpful
Customers Also Viewed These Support Documents