You may see some Domain Name System (DNS) related issues when you establish with VPN tunnel between Cisco VPN Client and a Cisco headend device (like PIX Firewall, VPN 3000 Concentrator or a Cisco router).
These are some of the issues that can be seen:
- One day it may work fine, the next day it may not work so well or it may even stop working during a current VPN session.
- Devices are configured for split tunnel. When the client connects, sometimes DNS resolution of the host is internal. Sometimes it is external.
- When you connect to your company network, you can access some servers, but you cannot connect to internal web sites nor can you connect to your mail server. When you issue an ipconfig/all command on the PC, you have the correct Windows Internet Naming Service (WINS) servers, but not the correct DNS.
To resolve this issue, perform these steps:
- Make sure the VPN server (PIX Firewall, Cisco VPN Concentrator or a router) successfully assigns a DNS server IP address to the Cisco VPN Client. To check, issue the ipconfig/all command on your PC after you are connected with the VPN Client.
- If you do not see the correct IP address for your DNS field, check the configuration on the VPN server to make sure it was configured properly. This pushes the DNS server's IP address to the VPN Client's IP address.
- To assign the DNS server's IP address for the VPN Client's, issue these commands: On the PIX Firewall:
vpngroup test dns-server x.x.x.x
Note: The test dns-server is an optional parameter that is available when issuing the vpngroup command.
- On the VPN Concentrator:
- Go under Configuration > User Management > Groups.
- Select the group you are working with and click Modify Group.
- Go to the General tab and scroll down. You can assign DNS settings to the clients in this location. Make sure the correct IP address was specified.
- On the VPN Concentrator:
- If the VPN Client receives the correct DNS IP address from the VPN server, but name resolution still does not work, check to make sure the Network Basic Input and Output System (NetBIOS) over Transmission Control Protocol (TCP) and IP option is checked under Advanced TCP/IP properties > WINS on the PC that runs the VPN Client.
Note: If you do not have split tunneling configured for the VPN Client, you will not be able to use the DNS server of the Internet Service Provider (ISP) anymore. This is because all traffic is now encrypted and sent to the VPN server.
These are related Cisco bugs IDs:
- CSCds65138: W2K Client - WINS - You must add Client for MS Networks for Dialup
- CSCdy66378: Client ignores DNS server from mode cfg
- CSCdy39938: Split DNS servername is not released
- CSCdr47582: WINS address not configured on machines with Static IPs
For more information, refer to these documents:
- The After the Tunnel Is Up, User Is Unable to Browse the Internet - Split Tunneling section of IP Security Troubleshooting - Understanding and Using debug Commands
- Error Message When Attempting to Resolve NetBIOS Name Longer than 16 Characters with VPN or RAS Connection