DNS "recursion not available" using a Cisco AnyConnect VPN connection

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by codeape on Server Fault See other posts from Server Fault or by codeape
Published on 2010-01-20T17:56:42Z Indexed on 2010/04/01 11:03 UTC
Read the original article Hit count: 631

Filed under:
|
|
|

Does anyone have experience with configuring Cisco AnyConnect VPN? We have a problem with client DNS name resolution when connected over VPN.

To me, it looks as if the Cisco AnyConnect VPN client intercepts DNS queries from the clients.

  1. Can someone confirm that the AnyConnect VPN client in fact does this (intercepts DNS traffic)?
  2. Where is this configured on the VPN server?

EDIT:

Here's how the routing table changes when I connect to the VPN:

[~]
$ diff -u /tmp/route_normal /tmp/route_vpn 
--- /tmp/route_normal   2010-01-20 19:23:47.000000000 +0100
+++ /tmp/route_vpn      2010-01-20 19:24:46.000000000 +0100
@@ -1,6 +1,10 @@
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+xxx.xxx.xx.xx.i 10.0.0.1        255.255.255.255 UGH   0      0        0 ath0
 172.16.53.0     *               255.255.255.0   U     0      0        0 vmnet1
 10.0.0.0        *               255.255.255.0   U     0      0        0 ath0
+172.17.20.0     *               255.255.255.0   U     0      0        0 cscotun
0
+192.168.111.0   172.17.20.212   255.255.255.0   UG    0      0        0 cscotun
0
 172.16.140.0    *               255.255.255.0   U     0      0        0 vmnet8
+172.16.0.0      172.17.20.212   255.255.0.0     UG    0      0        0 cscotun
0
 default         10.0.0.1        0.0.0.0         UG    0      0        0 ath0

EDIT 2:

The IT guy has done "something" on the VPN endpoint. Now I get "recursion not available" when doing nslookup. The DNS servers have recursion enabled. So it must be the Cisco VPN DNS interception messing this up.

ubuntu@domU-12-31-39-00-ED-14:~$ /opt/cisco/vpn/bin/vpn connect xxx.xxxxxx.xx
...
  >> Please enter your username and password
...
  >> notice: Establishing VPN...
  >> state: Connected
  >> notice: VPN session established to ...
ubuntu@domU-12-31-39-00-ED-14:~$ nslookup www.vg.no
;; Got recursion not available from ..., trying next server
;; Got recursion not available from ..., trying next server
;; Got recursion not available from ..., trying next server
;; Got recursion not available from ..., trying next server
Server:         172.16.0.23
Address:        172.16.0.23#53

** server can't find www.vg.no.compute-1.internal: REFUSED

ubuntu@domU-12-31-39-00-ED-14:~$ ping 195.88.55.16
PING 195.88.55.16 (195.88.55.16) 56(84) bytes of data.
64 bytes from 195.88.55.16: icmp_seq=1 ttl=240 time=110 ms
64 bytes from 195.88.55.16: icmp_seq=2 ttl=240 time=111 ms
64 bytes from 195.88.55.16: icmp_seq=3 ttl=240 time=109 ms
^C
--- 195.88.55.16 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2017ms
rtt min/avg/max/mdev = 109.953/110.379/111.075/0.496 ms

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about cisco

Related posts about vpn

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle