VPN and DNS appending

Unanswered Question
Feb 8th, 2007

We are having issues where users can connect to our PIX firewall with VPN client. But they cannot get access to any internal servers by name. I can ping servers by IP.

This started after we added a new DNS server, and removed the old one. We also added an ISA 2004 server.

But I don?t believe it is the ISA server. See beleow.

The NIC-TCP/IP advanced settings show that when connected to the VPN, the Append these DNS suffixes is check and our domain is entered.

When not connected we have append primary and connection specific DNS suffixes, and the append parent suffixes of primary DNS checked. There is NO domain name entered.

When connected the VPN adapter has the append these DNS suffixes with domain name, and DNS suffix for this connection has the domain name entered also.

On the PIX firewall using the PDM software, under Monitoring the IPSec vpns, I see my connection and only a couple of packets. And I cannot ping by name.

BUT?

If I go to the Local area connection settings, advanced DNS, and change from append these suffixes to append primary and connection specific DNS, with append parent checked, I can ping by name. This setting once disconnected goes back to append these suffixes, once connected to VPN again.

Or, if I add the domain to DNS suffix for this connection. I can then ping. Although I found that once you disconnect, and flush DNS, when you reconnect the VPN it does not resolve names.

Also some users have found out that if they allow the VPN connection to stay connected for anywhere between 15 and 30 minutes, it will start resolving, without changing anything.

Any clues how to make this work.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Wed, 02/14/2007 - 07:04

If your PIX box is running any of these codes 6.3.4 to 6.3.5(105) then possibly you are hitting a bug.

The DNS replies are blocked by the outbound ACL for Domain Name System (DNS) queries initiated from outside to inside. The ACL does not have explicit access control entries to allow DNS replies from theDNS server back to the client.

bberry Tue, 08/14/2007 - 05:51

I am having a same similar problem but an using a VPN concentrator and not a PIX. I have three domain suffexes that we use on the desktop but when users connect via VPN only the default is listed. I have all three in the split DNS field under the client config but is appears that all are not being passed when the client connects. I open the VPN adapter and only the default is listed once connected. I am trying to understand if this is an issue with a non-split tunnel versus a split tunnel.

This originally was not a really big issue but now that we have added additioanl domains, it is making it a little harder to do server maintenance and the like.

Actions

This Discussion