Wireless Access

Reply
Contributor II
Posts: 42
Registered: ‎07-14-2010

DNS issue through IAP - VPN

Ran into a strange issue with the Instant VPN.

Users are able to connect no problem, and they have IP connectivity to the network through the VPN.  When connected to Wireless or Ethernet on the IAP, they are placed into VLAN 13, and they get their IP configuration from the DHCP server on that VLAN as expected.

 

However, name resolution is failing for internal domains.    They are able to contact their DNS server, and when manually running nslookup they are able to successfully query external domains, e.g. google.com.  But if they try to query any internal names, such as "host1" or even the FQDN "host1.customer.com", it returns the error "non-existent domain".

 

If they plug a device directly into VLAN13, they get the same DHCP config & the same DNS server, and it responds correctly.

 

Is the IAP somehow intercepting DNS queries and responding on behalf of the DNS server?

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: DNS issue through IAP - VPN

This is just a hunch but in your setup - centralized,L2 - there is no option to include a "domain name" in the DHCP config.  Also, depending on the amount of remote sites, you may want to consider Destributed, L3.  It is our best practice deployment for IAP+VPN.  

 

Anyway...take a look at the screen shot below.  Enter the domain name of your customer here and retest.   Let me know the results...

 

Screen Shot 2013-07-25 at 9.25.58 AM.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 42
Registered: ‎07-14-2010

Re: DNS issue through IAP - VPN

Seth, if I ever run into you I owe you several beers!  The enterprise domains did the trick.   Strange that even if they did a fully-qualified lookup, it would fail.  But it's working now.

 

Thanks once again!

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: DNS issue through IAP - VPN

No problem...you ask awesome questions...

 

Here are the details so you know...IAP+VPN is a REALLY cool solution but it takes some thinking of how these things work vs. our traditional RAP deployments.

 

By default all the DNS requests from a client are forwarded to the clients DNS server. So in a typical IAP deployment without VPN configuration, client DNS requests are resolved by the clients' DNS server. However, when an IAP is configured for VPN this behavior changes. The DNS behavior is determined by the enterprise domain settings.

 

The enterprise domain setting on the IAP defines the domains for which the DNS resolution must be forwarded to the clients' default DNS server.  For instance, if the enterprise domain is configured for arubanetworks.com, then DNS resolution for hostnames in arubanetworks.com will be forwarded to the clients' default DNS server and the DNS resolution for hostnames in all other domains will be Scr-NATed to the local DNS server of the IAP.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 43
Registered: ‎02-01-2013

Re: DNS issue through IAP - VPN

Can I just say,  that I have just spent the best part of the last two evenings trying to solve this same problem.  Even Aruba TAC did not know about the Enterprise Domains setting.

 

Seth, you are a genius, a second beer from me will be on it's way to you.

 

Thanks

 

Lee

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: DNS issue through IAP - VPN

Thanks guys!  I didn't know either until I started playing around a bit.  Good to know for everyone!  

 

PS - I will give you my wife's contact info...please tell HER I'm a genius :)

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 34
Registered: ‎07-07-2011

Re: DNS issue through IAP - VPN

Thanks from me, too, as I ran into this problem as well.

According to documentation (and IAP online help), "Enterprise Domains" would only be filled in when using content filtering (thus I always left it blank ...).

I guess IAP documentation/user guide needs a some update here :smileywink:

Search Airheads
Showing results for 
Search instead for 
Did you mean: