SA540 VPN Tunnel - No internet access or local DNS resolution

Unanswered Question
Jul 30th, 2012

Searching the forum, I have seen the "no internet when connected via full-tunnel to SA540 with Cisco VPN Client" (and even with SSL VPN Client) scenario/issue raised multiple times here in the past 6-12 months, but nobody has yet to post a "fixed" or "solved" acknowledgement

All the responses have been "just use split tunnel"  which is not a solution or even a workaround for someone who requires full tunnel specifically like I do

I have a simple Cisco VPN client capable IPSEC tunnel created using the VPN wizard on the SA540.

--I am setup for full-tunnel mode

--I can connect to my SA540 / remote site and authenticate just fine

--I can reach devices on my LAN (by IP address ONLY) while connected to the VPN

Problems:

--I have no name resolution capabilities on my LAN while connected to the VPN (I had name resolution when using a cheap consumer grade router that the SA540 replaced - no other/no dedicated DNS server onsite, only the router acting as local DNS server)

--I have no internet access while connected to the VPN

--I have tried every combination of VPN DHCP scope provided DNS servers - but no change in regards to internet access or Local LAN DNS resolution behavior when connected the tunnel

I am running the newest version of firmware code - 2.1.71 I believe from meory (but i verfied it is still the newest on Cisco.com)

Using the built-in UC560 EZ-VPN-Client at this and other locations, full-tunnel far-end/remote internet access works fine

So this issue seems isolated to the SA540 itself

For local DNS resolution, I am not sure if the expected behavior is that the SA540 can resolve local DNS machine names (Please advise)

But obviosuly full-tunnel internet access shoud work, which is the priority here for me. The local DNS resolution via the SA540 is a great to have.

--Can anyone at Cisco acknowledge this is a known bug / issue, and when I can expect a fix?

--Or is there anyone here that can confirm they have successfully created a Full-Tunnel with working internet using SSA540 + Cisco VPN client 9and if so, what version of code are you using?)

Thanks

Mike

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
CCMADM1N1_2 Mon, 07/30/2012 - 10:19

just to be clear when I say "local LAN" or "Local DNS" I am always referring to the LAN at the remote/far end (the site that the SA540 is located at)

I am connecting via Full-tunnel so I want ALL traffic to go into the tunnel - and I want both internet access and DNS-capable LAN access at the remote site where the SA540 is located - so i will have the same access/experience as if I was a user at the remote site physically

I dont want or need LAN or internet access where I am physically located with my VPN client - (if I did, I would have created a split tunnel!)

Thanks

Tom Watts Mon, 07/30/2012 - 10:55

Hi CCMAADM1N1,

To fix the DNS issue, you need to delete the existing VPN policies then do the following;

Navigate to VPN -> IPSEC ->DYNAMIC IP RANGE.

Set the mode to full tunnel, specify the optional DNS fields and or WINS server

Then recreate the policies to use with the Cisco 5.x client.

-Tom

CCMADM1N1_2 Wed, 08/01/2012 - 21:05

Thanks - I suspected a reboot would fix the internet access (it did) since I made change sto the VPN DHCP SCOPE (changed DNS servers) after creating the policies (SA is a

nice device but requires reboot after most network related changes, not the most convenient but bearable if things work in the end)

But unfortunately even after delete/rebuild/reboot I cannot resolve DNS on the remote LAN while connected to full tunnel ipsec VPN

Does the SA540 have the capability/logic to handle the local DNS resolution for clients connected via VPN CLIENT from outside ? Doesn't seem so ..

The Same devices resolve DNS just fine when connected locally to the LAN so we know it works - just not working when same devices are connected via Cisco VPN Client from outside

Im thinking of rolling back 1 firmware release, and testing again - I could swear this worked/works on some older installs that I have not had the need or chance to upgrade since 2.1.51 i believe

Sent from Cisco Technical Support iPhone App

travisbugh Thu, 07/04/2013 - 09:46

I got a SA540 and I am having the same exact problem, cisco vpn 5 client, everything seems to work except the DNS resolution. Did you ever get this to work CCADM1N1?

Actions

Login or Register to take actions

This Discussion

Posted July 30, 2012 at 10:02 AM
Stats:
Replies:7 Avg. Rating:
Views:3944 Votes:1
Shares:0

Related Content

Discussions Leaderboard