×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Split DNS issue on VPN Conc 3000 and Cisco VPN Client

Unanswered Question
Sep 13th, 2006
User Badges:


HI, Recently, we've seen an increase in complaints re: DNS for clients connecting via VPN to our corporate.


Typical problem is that the user connects via Cisco VPN Client to VPN Conc at Corporate - Key applications are failing. We noticed that in most/all cases - the client is resolving the corporate server to its Public IP address (as their ISP DNS is performing the duty of primary DNS server). Needless to say, we have restricted access to the Public IPs, so the applications are failing for the users.


We tried the Split-DNS option enabled in our lab to see if the name resolution works properly - but inspite of the simple setting configuration, it does not work in the lab as well. Users coming to the LAB VPN Conc are still using their ISP DNS servers to resolve the .com domain (which is listed in the Split-DNS setting in the LAB VPN Conc).


I noted a url in cisco - and all 3 options to check on the client side are fine. http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K13241644


At a loss - especially, since some of the users are saying these applications worked for them until recently. Yes, I have done my rounds of checking that nothing had changed on the concentrator. I am thinking this is very specific to the client desktop settings. But, no ammunition yet .. SOS ...


rgds

arathy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sbilgi Tue, 09/19/2006 - 10:11
User Badges:
  • Silver, 250 points or more

Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names (LDN), while ISP-assigned DNS servers resolve all other DNS requests. This feature is used in a split-tunneling connection. You configure LDNs on a Base Group/Group basis. VPN 3002 Hardware Client must refrain from split tunneling.

arathyram Wed, 09/20/2006 - 08:28
User Badges:

Update - As mentioned earlier, enabling SplitDNS on the lab concentrators did not resolve the issue for our clients. The fix was a desktop fix - to have the ncpa.cpl - adapter binding order such that the VPN adapter was the primary. So, it would be use the internal preferred name servers and resolve to private IP.


Even in the split-tunnel mode, I did not see a fix by enabling split-DNS on the concentrator. ONce the desktop adapter setting was altered, the issue was resolved.


I am not sure if Split-DNS is really a requirement. It has been working for us up until now - without enabling it on the concentrator. This issue was sparked when some users were unable to resolve to private IP - so we went at this with a individual/user/pc/desktop approach


thanks much

Actions

This Discussion