asked on
DNS resolution across domains not working with AnyConnect v4.10
Experts,
We have been working to implement a VPN solution using Cisco AnyConnect to utilize MFA for authentication, connecting using Azure AD credentials/SAML. We have VPN appliances in 4 different locations (datacenters, including our main office.) Our main office is a different domain than the other three sites.
The issue we are seeing, is DNS resolution. If we are operating within the network in any of the 3 datacenters, things resolve without issue. However, once a remote user connects with AnyConnect, they are not able to pull DNS resolution from our office domain.
If we are in the office, and regardless of where we are, the resolution works correctly both ways. (com resolves NET and NET resolves COM). We have a secondary zone running that maintains a copy of the office zone (.com) in our three other datacenters (.net). Its when a user connects to the AC client via AAD SAML, they are no longer able to pull across the domains. And we are struggling to figure out why.
All of our DCs are running Server 2019, except one, which is running Server 2022. We have 2 in COM, (and a third server running as a DNS server only) and we have 8 total DCs in the NET domain. 3 in each of the primary, and 2 in a third site.
We have validated FW rules, routes, and we can see traffic here and there, but we cannot get the COM domain to resolve through the AC client.
Any suggestions would be great!
Thanks!
ASKER
Split Tunnel is set up. We are connecting to our data center network, which is doman.net. We can resolve any address that ends in domain.net. We also have a Metro-E connection from our data canter to our Headquarters office. Our HQ domain is domain.com. From the connected VPN, we cannot resolve any domain.com addresses. But we can ping any IP in both domains. From HQ, we can resolve any name in .NET or .COM
To throw a wrench into the mix, if I remote into a server in .NET, I can resolve any .COM addresses just fine. So the issue only presents itself while connecting with AnyConnect. Also, we use SAML authentication using AzureAD. We do not have a trust between our domains and AAD.
When I do an NSLOOKUP on a .COM address, I get QUERY REFUSED. NSLOOKUP on any .NET address works fine. And I can see the port 53 traffic flowing through the various firewalls to and from the computer in the VPN and the DC that should be resolving the .COM addresses.
ASKER
Pete, you nailed it. I was able to correct this by changing split tunnel all dns to enable
group-policy GroupPolicy_SAML_MYGROUP attributes
split-tunnel-all-dns enable
Glad you found the answer!
ThanQ
For your VPN users, did you set up split-tunnel DNS once they are connected? Is the subnet established for the VPN users able to see the internal subnets at all (i.e. can a VPN user ping or resolve by IP address as opposed to host name)?