Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide
Note: Avoid the use of the NSLookup when you test the name resolution on the client. Instead, rely on a
browser or use the ping command. This is because NSLookup does not rely on the OS DNS resolver.
AnyConnect does not force the DNS request via a certain interface but allows it or rejects it dependent upon
the split DNS configuration. In order to force the DNS resolver to try an acceptable DNS server for a request,
it is important that split DNS testing is only performed with applications that rely on the native DNS resolver
for domain name resolution (all applications except NSLookup, Dig, and similar applications that handle DNS
resolution by themselves, for example).
browser or use the ping command. This is because NSLookup does not rely on the OS DNS resolver.
AnyConnect does not force the DNS request via a certain interface but allows it or rejects it dependent upon
the split DNS configuration. In order to force the DNS resolver to try an acceptable DNS server for a request,
it is important that split DNS testing is only performed with applications that rely on the native DNS resolver
for domain name resolution (all applications except NSLookup, Dig, and similar applications that handle DNS
resolution by themselves, for example).
True Versus Best Effort Split DNS
AnyConnect Release 2.4 supports split DNS Fallback (best effort split DNS), which is not the true split DNS
found in the legacy IPsec client. If the request matches a split DNS domain, AnyConnect allows the request to
be tunneled in to the ASA. If the server cannot resolve the host name, the DNS resolver continues and sends
the same query to the DNS server that is mapped to the physical interface.
found in the legacy IPsec client. If the request matches a split DNS domain, AnyConnect allows the request to
be tunneled in to the ASA. If the server cannot resolve the host name, the DNS resolver continues and sends
the same query to the DNS server that is mapped to the physical interface.
On the other hand, if the request does not match any of the split DNS domains, AnyConnect does not tunnel it
in to the ASA. Instead, it builds a DNS response so that the DNS resolver falls back and sends the query to the
DNS server that is mapped to the physical interface. That is why this feature is not called split DNS, but DNS
fallback for split tunneling. Not only does AnyConnect assure that only requests that target split DNS domains
are tunneled in, it also relies on the client OS DNS resolver behavior for host name resolution.
in to the ASA. Instead, it builds a DNS response so that the DNS resolver falls back and sends the query to the
DNS server that is mapped to the physical interface. That is why this feature is not called split DNS, but DNS
fallback for split tunneling. Not only does AnyConnect assure that only requests that target split DNS domains
are tunneled in, it also relies on the client OS DNS resolver behavior for host name resolution.
This raises security concerns due to a potential private domain name leak. For example, the native DNS client
can send a query for a private domain name to a public DNS server specifically when the VPN DNS name
server could not resolve the DNS query.
can send a query for a private domain name to a public DNS server specifically when the VPN DNS name
server could not resolve the DNS query.
Refer to Cisco bug ID CSCtn14578, currently resolved on Microsoft Windows only, as of Version 3.0(4235).
The solution implements true split DNS: it strictly queries the configured domain names that match and are
allowed to the VPN DNS servers. All other queries are only allowed to other DNS servers, such as those
configured on the physical adapter(s).
The solution implements true split DNS: it strictly queries the configured domain names that match and are
allowed to the VPN DNS servers. All other queries are only allowed to other DNS servers, such as those
configured on the physical adapter(s).
Tunnel All and Tunnel All DNS
When split tunneling is disabled (the tunnel all configuration), DNS traffic is allowed strictly via the tunnel.
The tunnel all DNS configuration (configured in the group policy) sends all of the DNS lookups through the
tunnel, along with some type of split tunneling, and DNS traffic is allowed strictly via the tunnel.
The tunnel all DNS configuration (configured in the group policy) sends all of the DNS lookups through the
tunnel, along with some type of split tunneling, and DNS traffic is allowed strictly via the tunnel.
This is consistent across platforms with one caveat on Microsoft Windows: when any tunnel all or tunnel all
DNS is configured, AnyConnect allows DNS traffic strictly to the DNS servers that are configured on the
secure gateway (applied to the VPN adapter). This is a security enhancement implemented along with the
previously mentioned true split DNS solution.
DNS is configured, AnyConnect allows DNS traffic strictly to the DNS servers that are configured on the
secure gateway (applied to the VPN adapter). This is a security enhancement implemented along with the
previously mentioned true split DNS solution.
If this proves problematic in certain scenarios (for example, DNS update/registration requests must be sent to
non−VPN DNS servers), then complete these steps:
non−VPN DNS servers), then complete these steps:
If the current configuration is tunnel all, then enable split−exclude tunneling. Any single−host,
split−exclude network is acceptable for use, such as a link−local address.
split−exclude network is acceptable for use, such as a link−local address.
1.
Ensure that tunnel all DNS is not configured in the group policy.
2.
DNS Performance Issue Resolved in AnyConnect Version
3.0(4235)
3.0(4235)