Cisco 5510 asa vpn ias dns - Can't find server name for address

Posted on 2008-10-01
Last Modified: 2012-08-13
Using a Cisco 5510 asa for remote vpn using ias authentication and we are having a problem using local dns. When doing a nslookup we receive the Error "*** Can't find server name for address"
The vpn connection works using ias (which is running on server). Able to ping and rdp to all internal networks including the domain server running dns

ASA Version 7.1(2)
hostname xxxvnp
domain-name xxx.local
enable password xxxxxxxxxx encrypted
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
interface Ethernet0/2
 nameif Inside
 security-level 1
 ip address
interface Management0/0
 nameif management
 security-level 0
 no ip address
passwd xxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 retries 3
 timeout 3
 domain-name xxx.local
same-security-traffic permit inter-interface
access-list Inside_nat0_outbound extended permit ip any
access-list staff standard permit
access-list staff standard permit
access-list staff standard permit
access-list staff standard permit
access-list staff standard permit
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool vpnpool mask
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat (Inside) 0 access-list Inside_nat0_outbound
route Outside 1
route Inside tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpnauth protocol radius
aaa-server vpnauth host
 timeout 30
 key xxxxxx
 radius-common-pw xxxxxx
 acl-netmask-convert auto-detect
group-policy Group internal
group-policy Group attributes
 wins-server value
 dns-server value
 password-storage enable
 group-lock value Group
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value staff
 default-domain value xxx.local
username xxxadmin password xxxxxxxxxx encrypted privilege 15
username xxxadmin attributes
 vpn-group-policy Group
username user password xxxxxxxxxx encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http Inside
http Inside
http Inside
http Inside
snmp-server host Inside community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group Group type ipsec-ra
tunnel-group Group general-attributes
 address-pool (Inside) vpnpool
 address-pool vpnpool
 authentication-server-group vpnauth LOCAL
 authentication-server-group (Inside) vpnauth
 default-group-policy Group
tunnel-group Group ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
telnet Inside
telnet Inside
telnet Inside
telnet Inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access Inside
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
: end
Question by:MIDAC
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
LVL 79

Expert Comment

ID: 22621215
>Can't find server name for address"
This is usually simply because there is no PTR record for the dns server itself.

i'm assuming that you can actually ping that IP address from a client?

Author Comment

ID: 22630446
Forward and reverse records are configured for IP Address Also, this server is the Domain Controller, DNS and running the IAS used for vpn authentication. We are able to ping, rdp and map drives. Just can't do a nslookup against the server.
LVL 79

Expert Comment

ID: 22630678
> inspect dns maximum-length 512
Try increasing the max-length on your dns inspect, or disable the dns inspect completely
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!


Author Comment

ID: 22633198
Removed "inspect dns maximum-length 512" and still getting the same result:

C:\Documents and Settings\testuser>nslookup
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address Timed out

Non-authoritative answer:
LVL 79

Expert Comment

ID: 22633657
That was a shot in the dark anyway.
Just for a test try adding entries for those two servers in the local hosts file
This is a first for me. I've never seen this particular problem.

Although... ASA Version 7.1(2)
Very buggy version. Highly recommend upgrading to 8.0(4)
LVL 12

Expert Comment

ID: 22635295
That's odd... Usually a 512 length DNS filter is fine.
Can you please confirm that you can run nslookup in the local LAN? If you cannot then it is a problem with your DNS server, not the ASA.
And yes, do upgrade to ASA 8.0.4 / ASDM 6.13

Author Comment

ID: 22687958
Nslookup works fine on the LAN. I tried using IP pool which is in the same internal port IP Address block (router Internal IP Address is and it works. Nslookups of Internal forward and reverse dns addresses. I didnt think it was possible to use IP Addresses within the same IP Block as the Internal port, but gave it a shot anyway.

However, the customer does not wish to use IPs from this block. Remember everything works with the except dns

I noticed something else. I can ping the vpn the client IP Address using the IP Address pool, but I cannot with the ones

Ive double checked the routing, but severything else works.. Also, I added the to Site/Subnets and DNS/Reverse Lookup Zones thinking it may be a server issue of allowing dns lookups.

Since the blocks works I dont think its a udp issue. Could there be something else on the server that needs to be configured?
LVL 12

Expert Comment

ID: 22692986
> I noticed something else. I can ping the vpn the client IP Address using the IP Address pool, but I cannot with the ones
What do you mean exactly?
Also, one interesting question.... you do have an A record set up for, right?

Accepted Solution

MIDAC earned 0 total points
ID: 22780807
It turned out to be a routing issue, even though we had set the fortigate firewall to allow any/any and all other communications ping/rdp worked fine.

On the dns servers and we added a static route to send all vpn IP Addresses back directly to the vpn router and reverse internal dns worked. We shouldn't have had to do that, but the customer was anxious to get it working.

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question