No announcement yet.

Cisco 5505 VPN Connection Broke after DNS Server Change

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 5505 VPN Connection Broke after DNS Server Change

    We have two ASA 5505s serving as our VPN into our network. A server that was hosting our primary DNS (dnsmasq) lost a hard drive and died irrecoverably. For reasons I can't explain, it took down VPN access. I can still get into the internal interface, and I can actually authenticate and make a connection, but I can only ping for a few packets and then it becomes totally unresponsive and eventually kicks me out. We have secondary DNS servers (CentOS 6 using dnsmasq), and I made what I thought should be the appropriate config changes to the ASAs, pointing them to the new primary DNS, but it did not seem to fix the problem. Nothing else was changed on the config, and it was working before I changed DNS servers on it. The lines of config I changed are as follow:

    group-policy GROUP internal
    group-policy GROUP attributes
    dns-server value
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value access_prod_office
    default-domain value

  • #2
    Re: Cisco 5505 VPN Connection Broke after DNS Server Change

    A DNS server failing will not cause a vpn to fail. It can however prevent you from reaching hosts via fqdn's or hostnames. You said you can authenticate and connect so the vpn tunnel is being built. Have you looked at the logs for the vpn client as well as on the ASA? Verified Phase 1 and Phase 2 of the vpn on the ASA? Your group policy shows ipsec as the tunneling protocol, are you using ipsec or SSL with the anyconnect client? Are you pinging by hostname or ip address? Any policy in effect to limit icmp?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)