Link to home
Create AccountLog in
Avatar of LTi Engineer
LTi Engineer

asked on

DNS resolution across domains not working with AnyConnect v4.10

Experts,


We have been working to implement a VPN solution using Cisco AnyConnect to utilize MFA for authentication, connecting using Azure AD credentials/SAML.  We have VPN appliances in 4 different locations (datacenters, including our main office.)  Our main office is a different domain than the other three sites.


The issue we are seeing, is DNS resolution.  If we are operating within the network in any of the 3 datacenters, things resolve without issue.  However, once a remote user connects with AnyConnect, they are not able to pull DNS resolution from our office domain.


If we are in the office, and regardless of where we are, the resolution works correctly both ways.  (com resolves NET and NET resolves COM).  We have a secondary zone running that maintains a copy of the office zone (.com) in our three other datacenters (.net).  Its when a user connects to the AC client via AAD SAML, they are no longer able to pull across the domains.  And we are struggling to figure out why.


All of our DCs are running Server 2019, except one, which is running Server 2022.  We have 2 in COM, (and a third server running as a DNS server only) and we have 8 total DCs in the NET domain.  3 in each of the primary, and 2 in a third site.


We have validated FW rules, routes, and we can see traffic here and there, but we cannot get the COM domain to resolve through the AC client.  


Any suggestions would be great!


Thanks!


Avatar of Andrew Porter
Andrew Porter
Flag of United States of America image

For your VPN users, did you set up split-tunnel DNS once they are connected? Is the subnet established for the VPN users able to see the internal subnets at all (i.e. can a VPN user ping or resolve by IP address as opposed to host name)?

Avatar of LTi Engineer
LTi Engineer

ASKER

Split Tunnel is set up. We are connecting to our data center network, which is doman.net. We can resolve any address that ends in domain.net. We also have a Metro-E connection from our data canter to our Headquarters office. Our HQ domain is domain.com. From the connected VPN, we cannot resolve any domain.com addresses. But we can ping any IP in both domains. From HQ, we can resolve any name in .NET or .COM


To throw a wrench into the mix, if I remote into a server in .NET, I can resolve any .COM addresses just fine. So the issue only presents itself while connecting with AnyConnect. Also, we use SAML authentication using AzureAD. We do not have a trust between our domains and AAD. 


When I do an NSLOOKUP on a .COM address, I get QUERY REFUSED. NSLOOKUP on any .NET address works fine. And I can see the port 53 traffic flowing through the various firewalls to and from the computer in the VPN and the DC that should be resolving the .COM addresses. 

ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer

Pete, you nailed it. I was able to correct this by changing split tunnel all dns to enable


group-policy GroupPolicy_SAML_MYGROUP attributes


 split-tunnel-all-dns enable

Glad you found the answer!

ThanQ