Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide
This Microsoft Windows issue is mostly prevalent under these conditions:
With the home router setup, the DNS and DHCP servers are assigned the same IP address
(AnyConnect creates a necessary route to the DHCP server).
(AnyConnect creates a necessary route to the DHCP server).
•
A large number of DNS domains are in the group policy.
•
A Tunnel−all configuration is used.
•
The name resolution is performed by a non−qualified host name, which implies that the resolver must
try a number of DNS suffixes on all of the available DNS servers until the one relevant to the queried
host name is attempted.
try a number of DNS suffixes on all of the available DNS servers until the one relevant to the queried
host name is attempted.
•
This issue is due to the native DNS client that attempts to send DNS queries via the physical adapter, which
AnyConnect blocks (given the tunnel−all configuration). This leads to a name resolution delay that can be
significant, especially if a large number of DNS suffixes are pushed by the headend. The DNS client must
walk through all of the queries and available DNS servers until it receives a positive response.
AnyConnect blocks (given the tunnel−all configuration). This leads to a name resolution delay that can be
significant, especially if a large number of DNS suffixes are pushed by the headend. The DNS client must
walk through all of the queries and available DNS servers until it receives a positive response.
This problem is resolved in AnyConnect Version 3.0(4235). Reference Cisco bug IDs CSCtq02141 and
CSCtn14578, along with the introduction to the previously−mentioned true split DNS solution, for more
information.
CSCtn14578, along with the introduction to the previously−mentioned true split DNS solution, for more
information.
If an upgrade cannot be implemented, then here are the possible workarounds:
Enable split−exclude tunneling for an IP address, which allows the local DNS requests to flow
through the physical adapter. You can use an address from the linklocal subnet 169.254.0.0/16
because it is unlikely that any device sends traffic to one of those IP addresses over the VPN. After
you enable the split−exclude tunneling, enable local LAN access on the client profile or on the client
itself, and disable tunnel all DNS.
through the physical adapter. You can use an address from the linklocal subnet 169.254.0.0/16
because it is unlikely that any device sends traffic to one of those IP addresses over the VPN. After
you enable the split−exclude tunneling, enable local LAN access on the client profile or on the client
itself, and disable tunnel all DNS.
On the ASA, make these configuration changes:
access−list acl_linklocal_169.254.1.1 standard permit host 169.254.1.1
group−policy gp_access−14 attributes
split−tunnel−policy excludespecified
split−tunnel−network−list value acl_linklocal_169.254.1.1
split−tunnel−all−dns disable
exit
On the client profile, you must add this line:
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
You can also enable this on a per−client basis in the AnyConnect client GUI. Navigate to the
AnyConnect Preference menu, and check the Enable local LAN access check−box.
AnyConnect Preference menu, and check the Enable local LAN access check−box.
•
Use the fully qualified domain names (FQDNs) instead of the unqualified host names for the name
resolutions.
resolutions.
•
Use a different IP address for the DNS server on the physical interface.
•