Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2156
Views
5
Helpful
3
Replies

VPN Client split DNS creates timeouts on Windows client DNS lookups

c.schwarzfischer
Level 1
Level 1

‎11-14-2007 08:24 AM - edited ‎03-11-2019 04:31 AM

We have an ASA5510 with Windows VPN Clients (current stable version) connecting to it. I set up split DNS to force the clients to lookup the internal domains with the nameserver on our network.

Split DNS Config as follows:

group-policy VPN attributes

dns-server value 192.168.0.196

vpn-tunnel-protocol IPSec

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_splitTunnelAcl

default-domain value myinternaldomain.de

split-dns value myinternaldomain.de myinternaldomain2.de

Now when after connecting the clients make nslookups (on Windows XP), the internal names are looked up in no time.

When a public name like google.de is being looked up, nslookup runs into a timeout like this and finally answer the query.

> google.de

Server: [192.168.1.3]

Address: 192.168.1.3

DNS request timed out.

timeout was 2 seconds.

Nicht autorisierte Antwort:

Name: google.de

Addresses: 216.239.59.104, 72.14.221.104, 66.249.93.104

The tunnel traffic policy is simple:

access-list VPN_splitTunnelAcl standard permit our_main_private_net 255.255.255.0

access-list VPN_splitTunnelAcl standard permit some_other_private_net_in_10_classA 255.128.0.0

Using the MacOS Cisco VPN client, the problem doesn't exist!

The Setup has been tested on all different kinds of networks, wireless, DSL, anything. The issue is not limited to one computer only.

Thanks for your help

-chris

Labels:
0 Helpful
3 Replies 3

ebreniz
Level 6
Level 6

‎11-20-2007 12:54 PM

You have to split. If you do not have split tunneling configured for the VPN Client, you will not be able to use the DNS server of the Internet Service Provider (ISP) anymore. This is because all traffic is now encrypted and sent to the VPN server.

For more information on Configuring Split and Dynamic DNS on the Cisco VPN, refer to these documents

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008015f324.shtml

0 Helpful

c.schwarzfischer
Level 1
Level 1
In response to ebreniz

‎11-20-2007 01:15 PM

As can be seen in the config I posted, we DO split:

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_splitTunnelAcl

access-list VPN_splitTunnelAcl standard permit our_main_private_net 255.255.255.0

access-list VPN_splitTunnelAcl standard permit some_other_private_net_in_10_classA 255.128.0.0

All our traces show that splitting works just fine, the ISP nameserver can be contacted, only lookups take forever.

I figure this is a bug in the Windows version of the VPN client (I tried several versions), and does not occur AT ALL in the Mac version of the VPN client.

For now the problem is solved by not using split DNS and having everyone use the internal DNS to resolve all names - internal and public. This incurs a performace hit, of of course.

0 Helpful

c.schwarzfischer
Level 1
Level 1
In response to c.schwarzfischer

‎02-04-2008 03:39 PM

Nobody else having this problem? Can't be...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card