Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1639
  • Last Modified:

Cisco 5510 asa vpn ias dns - Can't find server name for address

Using a Cisco 5510 asa for remote vpn using ias authentication and we are having a problem using local dns. When doing a nslookup we receive the Error "*** Can't find server name for address"
The vpn connection works using ias (which is running on server). Able to ping and rdp to all internal networks including the domain server running dns

ASA Version 7.1(2)
hostname xxxvnp
domain-name xxx.local
enable password xxxxxxxxxx encrypted
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xxx.xxx.xxx.xxx
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
interface Ethernet0/2
 nameif Inside
 security-level 1
 ip address
interface Management0/0
 nameif management
 security-level 0
 no ip address
passwd xxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 retries 3
 timeout 3
 domain-name xxx.local
same-security-traffic permit inter-interface
access-list Inside_nat0_outbound extended permit ip any
access-list staff standard permit
access-list staff standard permit
access-list staff standard permit
access-list staff standard permit
access-list staff standard permit
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool vpnpool mask
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat (Inside) 0 access-list Inside_nat0_outbound
route Outside 1
route Inside tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpnauth protocol radius
aaa-server vpnauth host
 timeout 30
 key xxxxxx
 radius-common-pw xxxxxx
 acl-netmask-convert auto-detect
group-policy Group internal
group-policy Group attributes
 wins-server value
 dns-server value
 password-storage enable
 group-lock value Group
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value staff
 default-domain value xxx.local
username xxxadmin password xxxxxxxxxx encrypted privilege 15
username xxxadmin attributes
 vpn-group-policy Group
username user password xxxxxxxxxx encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http Inside
http Inside
http Inside
http Inside
snmp-server host Inside community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group Group type ipsec-ra
tunnel-group Group general-attributes
 address-pool (Inside) vpnpool
 address-pool vpnpool
 authentication-server-group vpnauth LOCAL
 authentication-server-group (Inside) vpnauth
 default-group-policy Group
tunnel-group Group ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
telnet Inside
telnet Inside
telnet Inside
telnet Inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access Inside
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
: end
  • 4
  • 3
  • 2
1 Solution
>Can't find server name for address"
This is usually simply because there is no PTR record for the dns server itself.

i'm assuming that you can actually ping that IP address from a client?
MIDACAuthor Commented:
Forward and reverse records are configured for IP Address Also, this server is the Domain Controller, DNS and running the IAS used for vpn authentication. We are able to ping, rdp and map drives. Just can't do a nslookup against the server.
> inspect dns maximum-length 512
Try increasing the max-length on your dns inspect, or disable the dns inspect completely
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

MIDACAuthor Commented:
Removed "inspect dns maximum-length 512" and still getting the same result:

C:\Documents and Settings\testuser>nslookup google.com
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address Timed out
Server:  dns.rnc.net.cable.rogers.com

Non-authoritative answer:
Name:    google.com
That was a shot in the dark anyway.
Just for a test try adding entries for those two servers in the local hosts file
This is a first for me. I've never seen this particular problem.

Although... ASA Version 7.1(2)
Very buggy version. Highly recommend upgrading to 8.0(4)
That's odd... Usually a 512 length DNS filter is fine.
Can you please confirm that you can run nslookup in the local LAN? If you cannot then it is a problem with your DNS server, not the ASA.
And yes, do upgrade to ASA 8.0.4 / ASDM 6.13
MIDACAuthor Commented:
Nslookup works fine on the LAN. I tried using IP pool which is in the same internal port IP Address block (router Internal IP Address is and it works. Nslookups of Internal forward and reverse dns addresses. I didnt think it was possible to use IP Addresses within the same IP Block as the Internal port, but gave it a shot anyway.

However, the customer does not wish to use IPs from this block. Remember everything works with the except dns

I noticed something else. I can ping the vpn the client IP Address using the IP Address pool, but I cannot with the ones

Ive double checked the routing, but severything else works.. Also, I added the to Site/Subnets and DNS/Reverse Lookup Zones thinking it may be a server issue of allowing dns lookups.

Since the blocks works I dont think its a udp issue. Could there be something else on the server that needs to be configured?
> I noticed something else. I can ping the vpn the client IP Address using the IP Address pool, but I cannot with the ones
What do you mean exactly?
Also, one interesting question.... you do have an A record set up for, right?
MIDACAuthor Commented:
It turned out to be a routing issue, even though we had set the fortigate firewall to allow any/any and all other communications ping/rdp worked fine.

On the dns servers and we added a static route to send all vpn IP Addresses back directly to the vpn router and reverse internal dns worked. We shouldn't have had to do that, but the customer was anxious to get it working.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now