Wireless Access

Ran into a strange issue with the Instant VPN.

Users are able to connect no problem, and they have IP connectivity to the network through the VPN.  When connected to Wireless or Ethernet on the IAP, they are placed into VLAN 13, and they get their IP configuration from the DHCP server on that VLAN as expected.

However, name resolution is failing for internal domains.    They are able to contact their DNS server, and when manually running nslookup they are able to successfully query external domains, e.g. google.com.  But if they try to query any internal names, such as "host1" or even the FQDN "host1.customer.com", it returns the error "non-existent domain".

If they plug a device directly into VLAN13, they get the same DHCP config & the same DNS server, and it responds correctly.

Is the IAP somehow intercepting DNS queries and responding on behalf of the DNS server?

This is just a hunch but in your setup - centralized,L2 - there is no option to include a "domain name" in the DHCP config.  Also, depending on the amount of remote sites, you may want to consider Destributed, L3.  It is our best practice deployment for IAP+VPN.  

Anyway...take a look at the screen shot below.  Enter the domain name of your customer here and retest.   Let me know the results...

Seth, if I ever run into you I owe you several beers!  The enterprise domains did the trick.   Strange that even if they did a fully-qualified lookup, it would fail.  But it's working now.

Thanks once again!

No problem...you ask awesome questions...

Here are the details so you know...IAP+VPN is a REALLY cool solution but it takes some thinking of how these things work vs. our traditional RAP deployments.

By default all the DNS requests from a client are forwarded to the clients DNS server. So in a typical IAP deployment without VPN configuration, client DNS requests are resolved by the clients' DNS server. However, when an IAP is configured for VPN this behavior changes. The DNS behavior is determined by the enterprise domain settings.

The enterprise domain setting on the IAP defines the domains for which the DNS resolution must be forwarded to the clients' default DNS server.  For instance, if the enterprise domain is configured for arubanetworks.com, then DNS resolution for hostnames in arubanetworks.com will be forwarded to the clients' default DNS server and the DNS resolution for hostnames in all other domains will be Scr-NATed to the local DNS server of the IAP.

Can I just say,  that I have just spent the best part of the last two evenings trying to solve this same problem.  Even Aruba TAC did not know about the Enterprise Domains setting.

Seth, you are a genius, a second beer from me will be on it's way to you.

Thanks

Lee

Thanks guys!  I didn't know either until I started playing around a bit.  Good to know for everyone!  

PS - I will give you my wife's contact info...please tell HER I'm a genius :)

Thanks from me, too, as I ran into this problem as well.

According to documentation (and IAP online help), "Enterprise Domains" would only be filled in when using content filtering (thus I always left it blank ...).

I guess IAP documentation/user guide needs a some update here :smileywink:

FIVE YEARS LATER - This saved me. Been trying to figure this one out three days. Then dound this post. Whew!