Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA VPN Client Cannot Resolve DNS

I am running ASA5510 IOS 8.2(1). The VPN client are getting correct DNS when I check with config /all. However in the command prompt nslookup it is using the ISP DNS server. We see this intermittent issue happening only on the Windows7 machine. The VPN client we tried are 5.0.07.0290 (64bit) and 5.0.07.0410 (32bit). Does any one encounter the same issue? Any idea how to resolve this?

Everyone's tags (3)
18 REPLIES
Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi,

You have mentioned that this issue only surfaces on Windows 7. Are you using WWAN card on the WIn 7 for internet access ?

Have you checked on XP as well ? Please paste a little part of the config showing what is the internal network behind the ASA and what is the remote VPN IP pool range, DNS servers values

Thanks,

Namit

New Member

Re: ASA VPN Client Cannot Resolve DNS

Thanks for your respond.

So far I don't see any issue with XP. I just paste a portion of the config for you. If you need more info just let me know. Thanks.

interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.16.3.19 255.255.255.248 standby 172.16.3.21
!
interface Ethernet0/2
description LAN/STATE Failover Interface
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.314
vlan 314
nameif DMZ1
security-level 10
ip address 10.7.14.1 255.255.255.0 standby 10.7.14.2

!

access-list OUTSIDE extended permit tcp any host 38.110.64.16 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.17 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.18 eq 3101
access-list OUTSIDE extended permit tcp any host 38.110.64.19 eq www
access-list OUTSIDE extended permit tcp any host 38.110.64.21 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.22 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.9 eq 5061
access-list OUTSIDE extended permit tcp any host 38.110.64.9 eq https
access-list OUTSIDE extended permit tcp any host 38.110.64.10 eq https
access-list OUTSIDE extended permit udp any host 38.110.64.10 eq 3478
access-list OUTSIDE extended permit tcp any host 38.110.64.10 range 50000 59000
access-list OUTSIDE extended permit udp any host 38.110.64.10 range 50000 59000
access-list OUTSIDE extended permit tcp any host 38.110.64.11 eq https
access-list OUTSIDE extended permit udp any host 38.110.64.15 eq tftp
access-list OUTSIDE extended permit tcp any host 38.110.64.25 eq https
access-list OUTSIDE extended permit tcp object-group MESSAGELABS host 38.110.64.25 eq smtp
access-list OUTSIDE extended permit tcp any host 38.110.64.26 eq https
access-list OUTSIDE extended permit tcp object-group MESSAGELABS host 38.110.64.26 eq smtp
access-list dpmvpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list dpmvpn_splitTunnelAcl standard permit 172.16.0.0 255.240.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.7.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.240.0.0 10.7.0.0 255.255.255.0

!

ip local pool TOR_ASA_IP_POOL 10.7.0.1-10.7.0.254 mask 255.255.255.0

!

group-policy dpmvpn internal
group-policy dpmvpn attributes
dns-server value 10.7.7.10 10.7.7.13
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dpmvpn_splitTunnelAcl
default-domain value dpm.domain
!
tunnel-group dpmvpn type remote-access
tunnel-group dpmvpn general-attributes
address-pool TOR_ASA_IP_POOL
authentication-server-group DPMLDAP LOCAL
default-group-policy dpmvpn

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi ,

So you are not able to access the internal hosts behind the ASA using names. Are you able to reach the internal network using IP Address ?

Thanks,

Namit

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi,

Please paste your NAT configuration also.

Thanks,

Namit

New Member

Re: ASA VPN Client Cannot Resolve DNS

Oh yes I forgot to paste that.

nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 38.110.64.16 10.7.7.8 netmask 255.255.255.255
static (inside,outside) 38.110.64.17 10.7.7.3 netmask 255.255.255.255
static (inside,outside) 38.110.64.18 10.7.7.6 netmask 255.255.255.255
static (inside,outside) 38.110.64.19 10.7.7.12 netmask 255.255.255.255
static (inside,outside) 38.110.64.21 10.7.7.19 netmask 255.255.255.255
static (inside,outside) 38.110.64.22 10.7.7.18 netmask 255.255.255.255
static (DMZ1,outside) 38.110.64.9 10.7.14.9 netmask 255.255.255.255
static (DMZ1,outside) 38.110.64.10 10.7.14.10 netmask 255.255.255.255
static (DMZ1,outside) 38.110.64.11 10.7.14.11 netmask 255.255.255.255
static (inside,outside) 38.110.64.15 10.7.8.3 netmask 255.255.255.255
static (inside,outside) 38.110.64.25 10.7.7.70 netmask 255.255.255.255
static (inside,outside) 38.110.64.26 10.7.7.17 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group DMZ1_access_in in interface DMZ1
route outside 0.0.0.0 0.0.0.0 38.110.64.1 1
route inside 10.0.0.0 255.0.0.0 172.16.3.17 1
route inside 10.7.0.0 255.255.0.0 172.16.3.18 1
route inside 172.16.0.0 255.240.0.0 172.16.3.17 1

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi,

Also I have asked earlier, are you using a WWAN Card ? Can we change the route route inside 10.0.0.0 255.0.0.0 172.16.3.17 1 and route inside 10.7.0.0 255.255.0.0 172.16.3.18 1 to a more specific route because it might conflict with the route for the remote access pool 10.7.0.0/24

Thanks,

Namit

New Member

Re: ASA VPN Client Cannot Resolve DNS

Hi Namit,

I miss your question eariIier. I saw on the release note. The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards). Is the Bell stick that goes on the usb port on the laptop consider a WWAN device? The client are using that on their laptops.

I am not going to touch to route for now since it is working for other VPN clients.

Joe

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi Joe,

Thanks for the update. Can you try pinging something or accessing on the internal network using IP Address instead of DNS so that we can rule out DNS being the issue ?

Thanks,

Namit

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi ,

Please check the connection settings, does it connect to some cellular network. If yes, is there a way you can set it up as a Dial Up Connection ?

Thanks,

Namit

New Member

Re: ASA VPN Client Cannot Resolve DNS

Hi Namit,

I tested the ping. IP address work so it is the DNS.

I think the Bell stick is using 3G. Here is the user guide. http://mobilebusiness.bell.ca/Assets/61adc7d02dfe4b9893ce2e41952de9aa_Bell-Mobile-Connect-User-Guide_English-Final.pdf

I am not able the test out on the dial connection. The customers is saying it is working now. I am thinking it could be the intermittent issue.

In the Cisco VPN client 5.0.07 release note says:

The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client5007/release/notes/vpnclient5007.html#wp45722

If this is a known issue I will just leave it until the next VPN client release.

Thanks,

Joe

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

yes there are some issues on the wireless data cards,

WWAN are not supported for the IPSEC VPN Client if you are using windows
7, this because Windows 7 ntroduced a new adapter type called WWAN. The WWAN type bypasses NDIS
IM drivers, so our NDIS IM driver fails to receive packets that go in and out WWAN devices.


here is work around worth a try

We can try forcing some domains to resolve through the VPN tunnel, this can be done using split-dns. seen this work before

eg:


group-policy EXAMPLE attributes

  split-dns value cisco.com


see if this helps
New Member

Re: ASA VPN Client Cannot Resolve DNS

Thanks for the explanation. I will need to do some research on split dns.

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi Joe,


If IP address works then it has to be DNS issue. Since it is working with DNS also now it must have been an intermittent issue.


Yes this is a known issue. It might be fixed in the next release of the VPN Client. In your case even though you are using a 3G connection you are not being effected by this issue as per the following explanation.


Windows 7 introduced a new adapter type called WWAN. The traffic accepted by the NIC is controlled by an NDIS Miniport Driver. The WWAN type bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so the Client NDIS IM driver fails to receive packetsthat go in and out WWAN devices. The third party tool that acts as the NDIS IM driver is DNE by Citrix.


The current release of Citrix DNE is an NDIS intermediate driver that is based on NDIS 5.0. However, the native Windows 7 Mobile Broadband driver
(WWAN Card)is based on NDIS 6.2. Earlier intermediate drivers that are based on NDIS 4.x or on NDIS 5.x have a known compatibility issue with the
 native Windows 7 Mobile Broadband driver.  

The reason the connection will work when setup as a Dial Up Connection or used as a USB Stick because it bypasses the limitation of NDIS drivers to
 connect to the internet whereas the internal card is used as a NIC which the VPN Client is not able to recognize 

Hope that answers your query. If everything is ok please mark the post as answered. 

Thanks,

Namit 

New Member

Re: ASA VPN Client Cannot Resolve DNS

Hi Namit,

I don't quite understand. You said it is a known issue but it doesn't effect me. I try to understand the explanation but it is beyond my knowledge.

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi Joe,

Apologies for that. The WWAN Card being not supported is a known issue. As the Release notes mention that "The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards)."

The Bell Stick you are using a 3G Mobile Connection so it falls under this category. So anybody using this type of connection should face issues. The reason why this does not work is

  • Windows 7 introduced a new adapter type called WWAN
  • The traffic accepted by the NIC is controlled by an NDIS Miniport Driver.
  • The new WWAN connection bypasses NDIS IM drivers (Network Driver Interface Specification Intermediate driver), so our VPN Client NDIS IM driver fails to receive packets that go in and out WWAN devices.
  • Thereby no traffic flows across the tunnel even though the VPN Client connects ( IP based or DNS based ).

But in case we use the 3G Connection as a USB Stick or set it up as a Dial Up Connection it works.

  • Most cellular devices that are based on Qualcomm technology (all of them) will install a virtual serial driver and a modem driver so that AT commands can be used to control the cellular device.
  • The above case it works because we are forcing this interface to make the connection using the same technology that dial-analog modem use for connecting.
  • It bypassesthe limitation with NDIS drivers where the WWAN connection is a NIC and the VPN Client is not able to recognize as explained earlier.

Thanks,

Namit

New Member

Re: ASA VPN Client Cannot Resolve DNS

Hi Namit,

Thanks for the long explanation.

Joe

New Member

Re: ASA VPN Client Cannot Resolve DNS

hi @ all.

i hope you guys can help me solving this problem

today i tried connection a  5.0.07.0290 client on a 64bit win 7 to the vpn. Everything worked fine but the DNS does not work. like everyone else said before.

we use a USB GSM modem for remote access. the same stick works on win 7 notebooks with 5.0.07.0410 and DNS works also. its no konfiguration issue on the asa becaus everything works fine.

DNS servers are filled on the client and if i do a nslookup on thte server the nslookups works. if i do not specify the dns on the nslookup it takes the ISPs DNS.

So what can i do on here?

thanks for your time

Cisco Employee

Re: ASA VPN Client Cannot Resolve DNS

Hi Joe,
This probably seems like an issue with the binding order of the Adapter in
which DNS requests are going to be sent out.
This binding order can be changed as below. Can you change and test ?
(Please test on a PC, which shows the issue consistently or atleast more frequently than others)
Windows7\Vista
1. Go to start
2. Type "view network connections" in search and click on that selection
3. Press "ALT" to get to the advanced Menu. Then  > Advanced> Advanced connections
4. Click on Adapters and Bindings Tab
Move the "Local Area Connection" that corresponds to VPN Adapter to
the Top of the List.
Thanks,
Naman
13286
Views
0
Helpful
18
Replies
CreatePlease to create content