• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 629
  • Last Modified:

Problem with DNS(?) using dual MPLS and IPSec tunnel links to remote site

Please consider this issue with what appears to be DNS issues.  We have HQ, that had a single connection to site A, via a carrier's MPLS network.  A contractor was previously hired to install a second router at site A, connected via ADSL to the public internet.  An IPSec tunnel was set up between the ADSL router and the Cisco PIX at HQ. The plan was to use route-maps at each end, redirecting key traffic for the Exchange server and MS ISA server (both at HQ) to pass through the IPsec tunnel.  However, due to a fault with original router at Site A, the route-map never redirected traffic.  Instead, at Site A, DHCP was changed to make the ADSL router the default gateway for clients.  At HQ, a route-map was applied at the core L3 switch to redirect the server traffic to the PIX.

All seemed to be working well, and a tracert confirmed that traffic is going over the correct routes.  However, some clients also use wireless at Site A, and get an additional address when using it.  I suspect that this is causing problems with the email client and IE (IE connecting to an ISA Server at HQ).  Sometimes Outlook and IE both fail to connect to the servers at HQ, although ping tests and the Citrix client are not affected.  DNS at HQ now shows 2 addresses for one of the clients.

It looks like a DNS issue with the replication of the zone back to HQ, but I am not sure why this would not also be an issue previous to the ADSL router install.  Not all subnets from HQ are route-mapped down the IPSec tunnel, but the server subnet is.  

What would you advise for the next step?

Thank you in advance!
1 Solution
Chris DentPowerShell DeveloperCommented:

> get an additional address when using it

Additional DNS addresses?

> DNS at HQ now shows 2 addresses for one of the clients

How are dynamic updates performed?

I would imagine you have an MS DHCP server in there somewhere? And I would imagine that's performing updates for your clients.

If that is the case, if DHCP registers a record for a client, the client will not have rights to update it directly. That's fine as long as they only chat to the MS DHCP server, but a real pain if they go and talk to the ADSL router. When they do that they will attempt to create a record themselves. Without permission to update the existing record they will create a new one.

If all that is the case, you can avoid it by preventing DHCP from updating DNS. All clients running Windows 2000 or higher are able to update directly. If you opt for that solution it is important to look into your Scavenging settings otherwise it will simply magnify the current duplication issue.

support_ferretAuthor Commented:
thank you for your quick reply!

Yes, for example one of the clients switches to wireless from a wired connection, or sometimes both may be running in tandem?(!)  Perhaps it is down to the clients in the end.  It wouldn't be a problem but the DNS server closest to the proxy and email server will always be updated a little later than the DNS server at site A.  

I believe you are right with the DHCP updating settings - I will have to tweak them as you say.  I had a look at the settings before leaving for the day, but I forget what they were.  I think I changed it to allow clients to dynamically update DNS.

I don't think there is a perfect solution for clients that keep switching from wired to wireless so quickly - but I think you have described the solution.  Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now