Wired Intelligent Edge

Hi Guys,

I have created a VIA split tunnel profile for VPN users to connect to local networks. All routing is working correctly, tunneled networks are routed through the controller and any other traffic is broken out locally from the user's device. When connected to VIA the devices are provided with DNS server settings that I configured in the VPN Service of the controller and they seem to use these VPN Servers by default.

The problem I'm having is that they are unable to resolve host names, which is very strange to me. I can ping the IP's of the DNS Servers, and I can do a nslookup from the client and resolve IP's.

Microsoft Windows [Version 10.0.14931]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\PaulH>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=4ms TTL=57
Reply from 8.8.8.8: bytes=32 time=6ms TTL=57
Reply from 8.8.8.8: bytes=32 time=5ms TTL=57
Reply from 8.8.8.8: bytes=32 time=7ms TTL=57

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 7ms, Average = 5ms

C:\Users\PaulH>nslookup www.google.co.za
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: www.google.co.za
Addresses: 2c0f:fb50:4002:802::2003
216.58.223.3

C:\Users\PaulH>ping www.google.co.za
Ping request could not find host www.google.co.za. Please check the name and try again.

C:\Users\PaulH>

Has anyone encoutered this problem before?

I've just noticed this may be a Windows 10 issue. Profile seems to work 100% on my mobile device (Android).

Did you also add a DNS-suffix list, or is that parameter blank in the VIA connection profile?

Remove that variable.  It theoretically is supposed to handle lookup requests from that domain by tunneling it to the headend and using the DNS defined in the VPN profile.  Everything else it will handle using the DNS obtained by the host from DHCP.

Thanks for the tip,

I have removed it, but still have the same problem. While connected to VIA with or without the suffix entered the default server used when I do a nslookup is the DNS server assigned by the controller, when I disconnect VIA my nslookup defaults to my local DNS server.

The DNS server assigned by the controller is 8.8.8.8 and I can ping it while connected and even resolve DNS names using the nslookup command so I have no idea why I can't resolve when I try ping or browse.

I have opened a case with TAC, if they manage to find the problem I will update here. I have a feeling it may be a Windows things because my android phone works fine.

So TAC wasn't really able to help me, but I managed to find the issue.

The controller was over writing my local DNS servers with the DNS servers configured in the VPN profile. For some reason I could ping the DNS servers with no problem and even do a nslookup to them and they would resolve FQDN to IP with no problem.

When I started investigating with Wireshark, I found that while I was browsing the net using IE or trying to ping to FQDNs the DNS traffic would have a source IP of the IP address I was assigned from the VPN pool of the controller. When I added the DNS server IP's to the tunneled networks it started working.

I'm not sure if this is normal behaviour of VIA or if it's a bug of some sorts, but just incase anyone runs into the same issue hopefully this helps.

I'll report my findings to TAC and see what they say.

Honestly, that is how a VPN client should work.  The local DNS is taken over by the VPN dns so it can resolve both internal and external addresses.  Unless you try to "split" the DNS by designating a domain that the internal DNS would only resolve, everything gets resolved by the internal DNS...  If you added your local DNS server to the tunneled addresses, that only means that DNS is being resolved by that external DNS server, but THROUGH your VPN connection at your corporate headend.

Thanks for the reply,

I was under the impression all DNS should be resolved locally by the DNS server assigned to the client by DHCP and the only DNS requests that should use the VPN DNS servers would be the domains specified in the VIA connection profile in the client DNS suffix list.

It was also strange that I was only having this issue on Windows 10 Devices. Windows 7, Android and IOS devices were working fine without tunneling the VPN DNS IP.

Anyway, it's working now, so all good.