ASA 8.0(4) VPN Client 5.0.02.0090 No DNS resolution

Unanswered Question
Feb 1st, 2010

Client connects fine and swell

gets DNS Server info

down stream packet capture shows that the servers are responing to client

12:19:34.933026 IP x.x.x.x.55982 > x.x.x.x.domain:  5549+[|domain]
12:19:34.933030 IP x.x.x.x.55982 > x.x.x.y.domain:  5549+[|domain]
12:19:34.933762 IP x.x.x.x.domain > x.x.x.x.55982:  5549*[|domain]
12:19:34.934006 IP x.x.x.x.domain > x.x.x.x.55982:  5549*[|domain]

but client never receives this responses and return request time out.

packet sniffer on client just shows requests inbound to DNS servers

This same configuration works with MAC OS X 10.6.2 client

not sure if it is related to dns-guard

i have disabled netbios on the windows xp machine, but have tried with it enabled over tcp, have added and removed wins server.

i can resolve resolve names from the ASA itself

any thoughts and ideas

i have been spending hours on this site searching for vpn client dns issues to no avail.

cheers

A

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Andrew MacTaggart Mon, 02/01/2010 - 21:25

more info

ASA Version 8.0(4)
!
hostname ASA
domain-name mydomain.com
dns-guard
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server xxxx-1
name-server xxxx-2
name-server x.x.x.27
name-server x.x.x.71
domain-name mydomain.com
same-security-traffic permit intra-interface
access-list outside_access_in remark allow traffic for vpn clients
access-list outside_access_in extended permit udp 10.1.174.0 255.255.254.0 any
access-list outside_access_in extended permit tcp 10.1.174.0 255.255.254.0 any
access-list outside_access_in extended permit tcp 10.1.174.0 255.255.254.0 x.x.x.0 255.255.254.0
access-list outside_access_in extended permit tcp 10.1.174.0 255.255.254.0 x.x.x.0 255.255.255.0
access-list outside_access_in extended permit tcp 10.1.174.0 255.255.254.0 x.x.x.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.1.174.0 255.255.254.0
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu mgmt 1500
ip local pool rbvpnpool 10.1.174.1-10.1.175.254 mask 255.255.254.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 10.1.174.0 255.255.254.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
ldap attribute-map Banner
  map-name  xxxxx Banner1
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host x.x.x.71
server-port 636
ldap-base-dn o=xxxx
ldap-scope subtree
ldap-login-password *
ldap-login-dn cn=xxxx, o=xxxx
ldap-over-ssl enable
server-type novell
ldap-attribute-map Banner
aaa-server LDAP1 protocol ldap
aaa-server LDAP1 (inside) host xxxxxx
ldap-base-dn o=xxxx
ldap-scope subtree
ldap-login-password *
ldap-login-dn cn=xxxx, o=xxxx
ldap-over-ssl enable
server-type novell
aaa-server LDAP2 protocol ldap
aaa-server LDAP2 (inside) host x.x.x.27
ldap-base-dn o=xxxx
ldap-scope subtree
ldap-login-password *
ldap-login-dn cn=xxxx, o=xxxx
ldap-over-ssl enable
server-type novell
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LDAP LOCAL
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac
crypto ipsec transform-set VPNTRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
dns-server value x.x.x.27 x.x.x.71
ip-comp enable
ipsec-udp enable
default-domain value mydomain.com
address-pools value rbvpnpool
group-policy myvpngroup internal
group-policy myvpngroup attributes
dns-server value x.x.x.27 x.x.x.71
vpn-tunnel-protocol IPSec
default-domain value mydomain.com
tunnel-group DefaultRAGroup general-attributes
address-pool rbvpnpool
authentication-server-group LDAP1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-required
tunnel-group myvpngroup type remote-access
tunnel-group myvpngroup general-attributes
address-pool rbvpnpool
authentication-server-group LDAP1
default-group-policy myvpngroup
tunnel-group myvpngroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context

Andrew MacTaggart Wed, 02/03/2010 - 21:05

Update

Well thanks for all the support

anyway I updated the client to 5.0.06.0160 to no avail

telnet and other protocols work as long as i use IP addresses

Just name resolution is dying along the way.

Actually the last place i see the dns packets is right before the ASA inside interface.

So if anyone has any suggestions at all, i would be ever so grateful

cheers

Actions

This Discussion

Related Content