?
Solved

VPN Client Changes Resolved Address

Posted on 2014-03-02
9
Medium Priority
?
409 Views
Last Modified: 2014-03-12
A few users have reported that their VPN Client changes the pre-configured address from X.X.X.X to X-X-X-X.provider.net. For example - from 1.1.1.1 to 1-1-1-1.provider.net, Does anyone have any idea why would that hapen?
0
Comment
Question by:Strinalena
  • 4
  • 4
9 Comments
 
LVL 20

Expert Comment

by:edster9999
ID: 39898575
Explain a little more.

Do you mean it changes their internet address.
So when they connect up, they get the IP 10.20.30.40 and this then shows up later as 10-20-30-40.provider.net ?
Or do you mean it changes addresses they are using - so they go to a web address of 10.20.30.40....and that changes ?

If it is there address that changes - is it their real public IP (on their home network) like 192.168.x.x that gets changed or the one they get from your VPN

...or... something totally different ?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39899429
1-1-1-1.provider.net is not an IP address, that could be a host name, but IP addresses are numbers.
0
 

Author Comment

by:Strinalena
ID: 39899747
Hi,

Thanks for the replies. The issue is on the actual VPN client - When the users opens the Cisco Any Connect client - instead of them getting the normal 1.1.1.1 address in the "Connect To" Field, they get 1-1-1-1.provider.net. So the address of the Firewall to terminate the connection changes for some reason.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 57

Expert Comment

by:giltjr
ID: 39899787
Still confused.  IP Addresses can not have letters in them.

Is the 1.1.1.1 your public IP address?

If they click on connect, does it work?
0
 

Author Comment

by:Strinalena
ID: 39899941
No - the Public ip is 87.224.XXX.XXX but when the users open the VPN client (You know - when you just double-click it) - instead of it showing the above ip address - it shows 87-224-XXX-XXX.name of the provider.net. The user has been able to use the client before but for some reason - at some point it gets changed and the user starts calling the helpdesk as there is no connection via the new strange address in the VPN client. It is not happenning regularly but there have been a few cases. Does this make any sense?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39900206
It looks like something is doing a reverse lookup on the IP address of your VPN server and replacing the actual address with the name that is on the PTR record for the address.

It appears that if you have a ASA cluster setup with a specific redirection option, that can happen.

So:

Do you have a ASA cluster?

Do you have the option "redirect-fqdn enable" on your ASA cluster?

Look at the page below and search on "Enabling Redirection"


http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_params.html
0
 

Author Comment

by:Strinalena
ID: 39902550
No ASA Cluster. The only comand on the device i find strange is the sysopt norpoxyarp inside. REally strange ans do not think that the issue is with the ASA but looks to me to be with the user's laptops.
So their machines are using their ISP's DNS servers and for some reason, you are saying that they are performing reverse DNS instead of forward one.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1500 total points
ID: 39903033
Yes, something is deciding to do a reverse look-up and fill in the server field with the host name that is returned.

It can't do a forward lookup.  Forward look-ups take a name and see what IP address that maps to.  Reverse look-ups take an IP address and find out what name it is mapped to.

Since you know the public IP address, you can issue the command:

     nslookup x.x.x.x

Where x.x.x.x is the  IP address of the VPN server and see what is returned.  You will want to try this from inside your network and from the Internet.  

It's really not that big of a deal.
0
 

Author Comment

by:Strinalena
ID: 39903240
I know - just annoying and it is not even our Firewall :-) Thanks for the replies
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question