SA540 VPN Tunnel - No internet access or local DNS resolution

Unanswered Question
Jul 30th, 2012

Searching the forum, I have seen the "no internet when connected via full-tunnel to SA540 with Cisco VPN Client" (and even with SSL VPN Client) scenario/issue raised multiple times here in the past 6-12 months, but nobody has yet to post a "fixed" or "solved" acknowledgement

All the responses have been "just use split tunnel"  which is not a solution or even a workaround for someone who requires full tunnel specifically like I do

I have a simple Cisco VPN client capable IPSEC tunnel created using the VPN wizard on the SA540.

--I am setup for full-tunnel mode

--I can connect to my SA540 / remote site and authenticate just fine

--I can reach devices on my LAN (by IP address ONLY) while connected to the VPN

Problems:

--I have no name resolution capabilities on my LAN while connected to the VPN (I had name resolution when using a cheap consumer grade router that the SA540 replaced - no other/no dedicated DNS server onsite, only the router acting as local DNS server)

--I have no internet access while connected to the VPN

--I have tried every combination of VPN DHCP scope provided DNS servers - but no change in regards to internet access or Local LAN DNS resolution behavior when connected the tunnel

I am running the newest version of firmware code - 2.1.71 I believe from meory (but i verfied it is still the newest on Cisco.com)

Using the built-in UC560 EZ-VPN-Client at this and other locations, full-tunnel far-end/remote internet access works fine

So this issue seems isolated to the SA540 itself

For local DNS resolution, I am not sure if the expected behavior is that the SA540 can resolve local DNS machine names (Please advise)

But obviosuly full-tunnel internet access shoud work, which is the priority here for me. The local DNS resolution via the SA540 is a great to have.

--Can anyone at Cisco acknowledge this is a known bug / issue, and when I can expect a fix?

--Or is there anyone here that can confirm they have successfully created a Full-Tunnel with working internet using SSA540 + Cisco VPN client 9and if so, what version of code are you using?)

Thanks

Mike

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
CCMADM1N1_2 Mon, 07/30/2012 - 10:19

just to be clear when I say "local LAN" or "Local DNS" I am always referring to the LAN at the remote/far end (the site that the SA540 is located at)

I am connecting via Full-tunnel so I want ALL traffic to go into the tunnel - and I want both internet access and DNS-capable LAN access at the remote site where the SA540 is located - so i will have the same access/experience as if I was a user at the remote site physically

I dont want or need LAN or internet access where I am physically located with my VPN client - (if I did, I would have created a split tunnel!)

Thanks

Tom Watts Mon, 07/30/2012 - 10:55

Hi CCMAADM1N1,

To fix the DNS issue, you need to delete the existing VPN policies then do the following;

Navigate to VPN -> IPSEC ->DYNAMIC IP RANGE.

Set the mode to full tunnel, specify the optional DNS fields and or WINS server

Then recreate the policies to use with the Cisco 5.x client.

-Tom

CCMADM1N1_2 Wed, 08/01/2012 - 21:05

Thanks - I suspected a reboot would fix the internet access (it did) since I made change sto the VPN DHCP SCOPE (changed DNS servers) after creating the policies (SA is a

nice device but requires reboot after most network related changes, not the most convenient but bearable if things work in the end)

But unfortunately even after delete/rebuild/reboot I cannot resolve DNS on the remote LAN while connected to full tunnel ipsec VPN

Does the SA540 have the capability/logic to handle the local DNS resolution for clients connected via VPN CLIENT from outside ? Doesn't seem so ..

The Same devices resolve DNS just fine when connected locally to the LAN so we know it works - just not working when same devices are connected via Cisco VPN Client from outside

Im thinking of rolling back 1 firmware release, and testing again - I could swear this worked/works on some older installs that I have not had the need or chance to upgrade since 2.1.51 i believe

Sent from Cisco Technical Support iPhone App

travisbugh Thu, 07/04/2013 - 09:46

I got a SA540 and I am having the same exact problem, cisco vpn 5 client, everything seems to work except the DNS resolution. Did you ever get this to work CCADM1N1?

Actions

This Discussion

Related Content