Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Split DNS issue on VPN Conc 3000 and Cisco VPN Client

HI, Recently, we've seen an increase in complaints re: DNS for clients connecting via VPN to our corporate.

Typical problem is that the user connects via Cisco VPN Client to VPN Conc at Corporate - Key applications are failing. We noticed that in most/all cases - the client is resolving the corporate server to its Public IP address (as their ISP DNS is performing the duty of primary DNS server). Needless to say, we have restricted access to the Public IPs, so the applications are failing for the users.

We tried the Split-DNS option enabled in our lab to see if the name resolution works properly - but inspite of the simple setting configuration, it does not work in the lab as well. Users coming to the LAB VPN Conc are still using their ISP DNS servers to resolve the .com domain (which is listed in the Split-DNS setting in the LAB VPN Conc).

I noted a url in cisco - and all 3 options to check on the client side are fine.

At a loss - especially, since some of the users are saying these applications worked for them until recently. Yes, I have done my rounds of checking that nothing had changed on the concentrator. I am thinking this is very specific to the client desktop settings. But, no ammunition yet .. SOS ...




Re: Split DNS issue on VPN Conc 3000 and Cisco VPN Client

Split DNS lets an internal DNS server resolve a list of centrally-defined Local Domain Names (LDN), while ISP-assigned DNS servers resolve all other DNS requests. This feature is used in a split-tunneling connection. You configure LDNs on a Base Group/Group basis. VPN 3002 Hardware Client must refrain from split tunneling.

Community Member

Re: Split DNS issue on VPN Conc 3000 and Cisco VPN Client

Update - As mentioned earlier, enabling SplitDNS on the lab concentrators did not resolve the issue for our clients. The fix was a desktop fix - to have the ncpa.cpl - adapter binding order such that the VPN adapter was the primary. So, it would be use the internal preferred name servers and resolve to private IP.

Even in the split-tunnel mode, I did not see a fix by enabling split-DNS on the concentrator. ONce the desktop adapter setting was altered, the issue was resolved.

I am not sure if Split-DNS is really a requirement. It has been working for us up until now - without enabling it on the concentrator. This issue was sparked when some users were unable to resolve to private IP - so we went at this with a individual/user/pc/desktop approach

thanks much

CreatePlease to create content