Meraki Community

Basil · ‎Dec 12 2020

Hi All,

i wanted to share a problem that i'm having with my VPN setup in my company. The VPN as such works without any issues.

So I have enabled the VPN in the Cisco meraki dashboard, and am using the IP range ( for eg: 172.16.150.0) as specified in the dashboard settings, and using AD to authenticate users . Using the windows L2TP protocol on the windows 10 client, with split tunneling and all configured, and working properly. No problems. I checked the route print, and split tunneling working as supposed.

I’m able to ping from vpn client to any other internal LAN clients using hostname. Also can open UNC path from VPN client to my company servers via hostname and stuff. No issues. However I’m not able to ping from an internal LAN client device to the vpn client using hostname. I can ping using IP address though, and able to UNC into the vpn client using the VPN ip for example, \\172.16.150.10\C$. All working with IP from internal client to VPN client, and the VPN client is reaching all internal servers/workstations etc via hostname. How is it possible to ping the vpn client device from the internal company LAN using hostname?. Is this because the IP range configured in the cisco meraki dashboard is completely different from my internal LAN subnet (For eg: 172.16.0.0) . I assume so.

If so, how do I add my VPN subnet to my DHCP server or Cisco meraki portal, so that the internal clients can talk to it using hostname.

My main reason for doing this is because my RMM solution that we use does not detect the vpn client devices as online , once they become external or are VPN connected is what i mean. for eg: suppose, Computer A is connected to the internal LAN from our buildings, and so is getting an internal LAN IP from our DHCP server. Then our RMM software has no problem detecting the machine as online. And I can remote into them to help users having IT issues. However when the same computer moves out of the internal LAN network( in this case the user is working from home). So the user connects to the Windows built in VPN. They enter their AD credentials and connect to VPN successfully. And Meraki allocates the client an IP from the 172.16.150 subnet. All good. They are able to have access to the Shared drives/Outlook and everything else as if they are working from the office. All good there as well. So the user is fine from a work stand point.

But when the user is working from home, I’m not able to use our RMM tool to remote connect to the vpn connected computer A, if the user needs some IT help, because the IP used via VPN is not our internal IP. Where or how can I make my RMM tool recognize that the VPN client is online and make VPN subnet recognizable, with internal LAN IP range . Is this done via a static route from the client side, or should I add something in the scope options of my DHCP server, or should I add the VPN subnet with some settings in the meraki dashboard ? I’m kinda confused on how I can make this happen

Please help!!

Basil · ‎Dec 20 2020

So I'm back again.

After playing around with this for about 4 days now, finally got it fixed. So i had to make 2 changes. 1st on my DNS server and 2nd on my win 10 client vpn adapter.

i went to my DNS server, and in my forward lookup zone, and my domain, i went to the properties and changed dynamic updates to allow both secure and nonsecured setting.

Then went to the Cisco Client vpn adapter on the win 10 client, properties and choose IP4 , and then under advanced, needed to check mark both the DNS options

Register this connections addresses in DNS & Use this connections DNS suffix in DNS registration. Since my win 10 machine was already a domain connected device, i left the DNS suffix as blank. If your computer is non domain joined, then please add the dns suffix field. With both of these check marked, I had to disconnect the VPN connection, and then reconnect again.

Once this was done, my VPN clients started registering properly in my DNS server. So my initial issue is fixed and my RMM solution is able to recognize the VPN client . This is going to make my life so much easier providing remote support to users working from home. So i'm just putting it across if its useful to anyone.

Now what i wanted help is if i can add the above 2 DNS options to automatically be check marked when i create future VPN connections for my users using my powershell script. As of now. the script does everything. But now i need to add the above 2 dns options to be checkmarked too. Any idea on how i can make that possible.

View solution in original post

PhilipDAth · ‎Dec 13 2020

I haven't tried this myself.

I would expect that when the connection comes up it does the equivalent of an "ipconfig /registerdns", and registers the client hostname in the AD DNS.

Do you see the client name in AD DNS? If not, if a VPN client does an "ipconfig /registerdns" does it then appear?

Basil · ‎Dec 13 2020

Hi,

Thank you of your reply,

I did not see the hostname of my domain/VPN connected client in my AD DNS. No record found. So i did run the command ipconfig /registerdns. Waited for some time. Still no record.

Do i have to manually specify my DNS server on the vpn adapter properties to reach my DNS servers. As of now, its obtaining the DNS servers & IP automatically. No static IP or DNS configured on the client side VPN adapter or Wifi adapter. I mean on the cisco meraki dashboard client settings, i have already specified my DNS server details, if that helps.

KarstenI · ‎Dec 13 2020

From my experience this is "normal" behaviour. This is another reason I often run an ASA in parallel to the MX for AnyConnect Client VPN. There you can assign the IPs by DHCP and the VPN-hostname gets automatically registered in DNS. But I think there is no way in the MX to achieve this.

PhilipDAth · ‎Dec 13 2020

>So i did run the command ipconfig /registerdns. Waited for some time. Still no record.

In that case, it seems Windows does not send a DDNS update packet from its VPN interface. Manually specifying the DNS servers won't make any difference.

It looks like you have hit a limitation in Windows.

Basil · ‎Dec 20 2020