These days I'm receiving support calls from our customers which say that they are unable to connect to the intranet resources with Cisco VPN Client.
A little investigation brought me to discovery that it's only about Cisco IPSec VPN Clients installed on Windows 7 32-bit. 64-bit version of Win 7/Vista and WinXP are fine.
A little deeper investigation isolated the problem: I noticed that vpn client upon successful connection with the Cisco router or ASA firewall doesn't receive DNS servers specified in tunnel group (ASA) or client configuration group (IOS). So, actually you can connect to your intranet servers using IP addresses, but not with DNS names. As I wrote above it wasn't about just one case but several. This required an emergency testing in my mighty lab :) - my laptop with VM Ware and Windows 7 32-bit virtual machine:)
Finally I resolved the case: it's a bug in the VPN client (I found it on Cisco Bug Toolkit under CSCsq34291 name). Cisco IPSec VPN Client version 5.0.07.0290 or newer don't have this problem, so I advised my customers to upgrade their Cisco VPN Clients. Another workaround according to Cisco is to use more than one DNS server in the tunnel group (or client configuration group). They claim that this issue shows its ugly face when only one DNS server is configured to be pushed on the client. If you are big then you already have at least two internal DNS servers (your domain controllers for example), but if you are small single server shop then just enter some fake IP address for secondary DNS in client configuration as quick workaround until you upgrade all the clients.
We used to use netscreen remote for our Juniper firewalls but it doesn't even support 64bit W7 or Vista. We've been testing the free shrew client and will probably be rolling it out in the next couple of months. I know it works just as well for Cisco devices.
ReplyDeleteIt's good to see that not only Juniper are having issues :P
Daz