VPN Client split DNS creates timeouts on Windows client DNS lookups

Unanswered Question
Nov 14th, 2007
User Badges:

We have an ASA5510 with Windows VPN Clients (current stable version) connecting to it. I set up split DNS to force the clients to lookup the internal domains with the nameserver on our network.

Split DNS Config as follows:


group-policy VPN attributes

dns-server value 192.168.0.196

vpn-tunnel-protocol IPSec

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_splitTunnelAcl

default-domain value myinternaldomain.de

split-dns value myinternaldomain.de myinternaldomain2.de



Now when after connecting the clients make nslookups (on Windows XP), the internal names are looked up in no time.

When a public name like google.de is being looked up, nslookup runs into a timeout like this and finally answer the query.


> google.de

Server: [192.168.1.3]

Address: 192.168.1.3


DNS request timed out.

timeout was 2 seconds.

Nicht autorisierte Antwort:

Name: google.de

Addresses: 216.239.59.104, 72.14.221.104, 66.249.93.104


The tunnel traffic policy is simple:

access-list VPN_splitTunnelAcl standard permit our_main_private_net 255.255.255.0

access-list VPN_splitTunnelAcl standard permit some_other_private_net_in_10_classA 255.128.0.0


Using the MacOS Cisco VPN client, the problem doesn't exist!

The Setup has been tested on all different kinds of networks, wireless, DSL, anything. The issue is not limited to one computer only.


Thanks for your help


-chris



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ebreniz Tue, 11/20/2007 - 12:54
User Badges:
  • Silver, 250 points or more

You have to split. If you do not have split tunneling configured for the VPN Client, you will not be able to use the DNS server of the Internet Service Provider (ISP) anymore. This is because all traffic is now encrypted and sent to the VPN server.

For more information on Configuring Split and Dynamic DNS on the Cisco VPN, refer to these documents

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008015f324.shtml

c.schwarzfischer Tue, 11/20/2007 - 13:15
User Badges:

As can be seen in the config I posted, we DO split:


split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_splitTunnelAcl


access-list VPN_splitTunnelAcl standard permit our_main_private_net 255.255.255.0

access-list VPN_splitTunnelAcl standard permit some_other_private_net_in_10_classA 255.128.0.0


All our traces show that splitting works just fine, the ISP nameserver can be contacted, only lookups take forever.


I figure this is a bug in the Windows version of the VPN client (I tried several versions), and does not occur AT ALL in the Mac version of the VPN client.


For now the problem is solved by not using split DNS and having everyone use the internal DNS to resolve all names - internal and public. This incurs a performace hit, of of course.



Actions

This Discussion