AnyConnect 3.0.4235 and internal DNS (Mac OS X 10.6 and 10.7)

docrice

I recently upgraded our Mac AnyConnect clients from 2.3 to 3.0.4235 via ASA push. Our Windows clients are still on 2.3. After the upgrade, we noticed that our Mac users (after tunneling in) are not picking up internal DNS settings. I upgraded the Windows client on my own machine through manual install and it seems to work fine in this regard, so I'm guessing this is specific to the new OS X client. The group policy which affects me as well as the Mac users experiencing the issue is the same.

Do you guys know if there's something specific to 3.0 I need to consider for this case? Maybe I missed something obvious.

dtlokee

It's possible you are running into issues with the "enhancements" in the new version:

Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.0 - Cisco Systems

I have run into issues with split DNS where the "tunnel all" didn't work and I had to add the individual domains that I wanted to send to the internal DNS servers across the tunnel.

docrice

Thank you, sir. This sounds very much like it could be it. Going through this also allowed me to possibly figure out an additional problem I was having. I'll try this out tomorrow.

docrice

It looks like this is another one of those "shake 8.3(1) a bit and it'll wake up" deals as this particular ASA runs that code. I put in a DNS suffix config for the group policy bound to the tunnel group, things started working for the client. Then I removed that config, applied changes, rebooted the client ... and things still kept working.

I've had other odd problems with 8.3(1) before, so it's time to upgrade to a newer version.

dtlokee

I would recommend getting out of the 8.3 train and into the 8.4 train if you can, there seem to be a number of "undocumented features" in the 8.3 code.