cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
0
Helpful
2
Replies

Split DNS issue on VPN Conc 3000 and Cisco VPN Client

arathyram
Level 1
Level 1

HI, Recently, we've seen an increase in complaints re: DNS for clients connecting via VPN to our corporate.

Typical problem is that the user connects via Cisco VPN Client to VPN Conc at Corporate - Key applications are failing. We noticed that in most/all cases - the client is resolving the corporate server to its Public IP address (as their ISP DNS is performing the duty of primary DNS server). Needless to say, we have restricted access to the Public IPs, so the applications are failing for the users.

We tried the Split-DNS option enabled in our lab to see if the name resolution works properly - but inspite of the simple setting configuration, it does not work in the lab as well. Users coming to the LAB VPN Conc are still using their ISP DNS servers to resolve the .com domain (which is listed in the Split-DNS setting in the LAB VPN Conc).

I noted a url in cisco - and all 3 options to check on the client side are fine. http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K13241644

At a loss - especially, since some of the users are saying these applications worked for them until recently. Yes, I have done my rounds of checking that nothing had changed on the concentrator. I am thinking this is very specific to the client desktop settings. But, no ammunition yet .. SOS ...

rgds

arathy

2 Replies 2

sbilgi
Level 5
Level 5

Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names (LDN), while ISP-assigned DNS servers resolve all other DNS requests. This feature is used in a split-tunneling connection. You configure LDNs on a Base Group/Group basis. VPN 3002 Hardware Client must refrain from split tunneling.

arathyram
Level 1
Level 1

Update - As mentioned earlier, enabling SplitDNS on the lab concentrators did not resolve the issue for our clients. The fix was a desktop fix - to have the ncpa.cpl - adapter binding order such that the VPN adapter was the primary. So, it would be use the internal preferred name servers and resolve to private IP.

Even in the split-tunnel mode, I did not see a fix by enabling split-DNS on the concentrator. ONce the desktop adapter setting was altered, the issue was resolved.

I am not sure if Split-DNS is really a requirement. It has been working for us up until now - without enabling it on the concentrator. This issue was sparked when some users were unable to resolve to private IP - so we went at this with a individual/user/pc/desktop approach

thanks much

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: