We help IT Professionals succeed at work.

Multiple DNS entries and unable to remote manage VPN clients

CHI-LTD
CHI-LTD asked
on
Hello
Two issues, possibly linked in some way.  First is, VPN clients are showing their local IP and VPN IP (from ASA) in DNS i.e. 10.255.253.1 and 10.255.240.51  This causes issues connecting to the VPN IP 10.255.253.1 beciase of 2 DNS entries.  Client on the LAN where the DHCP/DNS servers reside work fine.  Only affect VPN users.

Other problem is that when clients are not showing the local IP of their WIFI card in DNS and showing the correct IP (it was working at some point previously) we cannot browse to that machine, so remote management doesnt work.

Ideas?
Comment
Watch Question

David FavorFractional CTO
Distinguished Expert 2018

Commented:
10.X.X.X addresses are local/private/nonroutable, so these addresses only work (packets route) inside a LAN.

No 10.X.X.X address will ever work with a VPN or any other tech, for any machine outside the 10.X.X.X related LAN.

Said another way, there are 1,000,000s of 10.255.240.51 addresses active at any given moment all over the world, on many LANs so routing packets outside any LAN to any instances of this IP makes no sense.

https://en.wikipedia.org/wiki/Private_network provides more detail, along with additional resources for research.
Top Expert 2014
Commented:
I think what you're describing is just stale DNS entries in the on-premise DNS, and the problems associated with reaching client machines for management when those stale entries are present.

Frankly, it's a huge topic that I can't cover entirely.  The biggest thing is to have DNS scavenging set up to reduce the amount of time that stale entries will persist.  It will not eliminate them completely.  Any time you have machines that switch between connecting with different interfaces (ethernet, wireless, VPN) and an associated DNS record gets registered you will encounter this.  DHCP settings can help with cleaning up records upon lease expiration.  Dynamic update settings on the DNS zone (i.e. secure only) will also have an effect.

Author

Commented:
Sorted, it was the split tunnelling on the firewall and rule configured for the remote client subnet that was only allowing certain ports.  We also had a wannycry deny rule in place which was blocking.

Scavenging is enabled.

Thanks

Author

Commented:
Sorted, it was the split tunnelling on the firewall and rule configured for the remote client subnet that was only allowing certain ports.  We also had a wannycry deny rule in place which was blocking.

Scavenging is enabled.

Thanks