I've been beating myself trying to figure this issue out for weeks. With a Cisco TAC case open actively trying to get it resolved. I've heard of this issue popping up Pre-COVID but very rarely and a reboot always fixed it.
We have a handful of users who lose their split-dns functionality after they are connected to the VPN for awhile. Basically regular internet resolution works and the tunnel actually still stays active. (They can ping internal resources by IP only). When they try to ping internal DNS name, using the on prem Microsoft DNS server it just says "Ping request could not find host xyz.helloworld.local Please check the name and try again." In the browser it will say they recieved a NXDOMAIN response. Doing a packet capture it doesnt look like the traffic even makes it to the DNS server.
Funny enough nslookup will work, but I researched that it stated:
Note: Avoid using NSLookup when you test the name resolution on the client. Instead, rely on a browser or use ping. This is because NSLookup does not rely on the operating system (OS) DNS resolver, and therefore, AnyConnect does not force the DNS request via a certain interface.
So I am back at square one. I debated tunneling all DNS requests, but seems unfair for only 5 users having a problem. Since this can also cause geolookup issues and I dont even know if it would resolve the issue.
One of the users I uninstalled and reinstalled anyconnect it did not work. Last issue close to this I had was a year back some IPv6 users were having issues so I had to enable "client-bypass-protocol enable" on the group policy.
No comments:
Post a Comment