Client VPN NetBios DNS :(

Netwow
Building a reputation

Client VPN NetBios DNS :(

We are testing client VPN . It is enabled and users are able to connect. 2 out of 4 users are unable to resolve host names from mapped drives. The other 2 users are. DNS server is at the DC across a VPN tunnel to a non-meraki peer.  All are Window 10 . Here is what has been attempted with the assistance of support. IPs of servers can be reached via ping.

 

1) enabled WINs specified DNS server

2)Hardcoded DNS into NIC of clients that could not connect.

 

We spent a lot of time of the phone with support but still do not have any resolution. 

Suggestions ?

8 Replies 8
Julian
Getting noticed

hi, some ideas of tests to do:

 

- ping the dns servers and share server to verify the connectivity

- nslookup to the dns servers  to verify the connectivity

- disable firewall and antivirus on the windows 10 computers

- where are the mapped drives? windows server? nas? dfs?

- do a test mapping  the drive by ip, not using the name of the server

- do you have disabled smb1 on the windows 10 clients?

- check the time on the servers and client, sync with a ntp server

 

 

 

 

ConnorL
Meraki Employee
Meraki Employee

Hey there,

Connor here from Meraki Support. I've always found this guide works when resolving DNS over Client VPN:
https://www.petenetlive.com/KB/Article/0001402

*Note* it's not a Meraki or Cisco link, so your results may vary and we're not responsible for the content hosted here.

Kind regards,

--

Connor Loughlin
Network Support Engineer

.:|:.:|:. Cisco Meraki EMEAR 🇬🇧

For reference, many questions can be easily answered by searching our online documentation: http://documentation.meraki.com
Nash
Kind of a big deal

Please don't use WINS. Microsoft does not want you to use WINS.

 

Use DNS.

 

Make sure you use the fully qualified domain name, such as software.domain.local.

 

If your internal domain is the same as a publicly resolvable domain, adjust your interface metric. 

 

You can either do re-deploy the VPN using a script, such as the ones in my signature. They're recently updated to set the Meraki VPN connection to have priority.

 

Or you can hit it with powershell directly:

 

All user connection:

 

(Get-Content -path $env:PROGRAMDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk -Raw) -Replace 'IpInterfaceMetric=0','IpInterfaceMetric=1' | Set-Content -path $env:PROGRAMDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk

 

 

Individual user connection:

 

(Get-Content -path $env:APPDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk -Raw) -Replace 'IpInterfaceMetric=0','IpInterfaceMetric=1' | Set-Content -path $env:APPDATA\Microsoft\Network\Connections\Pbk\rasphone.pbk

 

 

Or you can do it manually via the GUI. I prefer PowerShell.

PhilipDAth
Kind of a big deal
Kind of a big deal

>DNS server is at the DC across a VPN tunnel to a non-meraki peer.

 

I don't think this is a supported configuration - hair pinning client VPN connections to a non-Meraki VPN connection.

 

I've tried this and found it to be flaky and only intermittently works (client connects and works, next day client connects and it doesn't).  I've found when it doesn't work if you ping the clients private VPN IP address from the DC machine it usually starts working.  All together not nice.

 

It does work perfectly for AutoVPN connected sites.

BearTech
Comes here often

This is due to the NICs interface metric, and it's been absolutely maddening. 

Connect to the VPN.. Open powershell and type Get-NetIPInterface.  You will see your Ethernet (or Wifi) and VPN name in the list.  On the left is ifInterface number, on the right is interfaceMetric.  You need VPN to have a LOWER interfaceMetric than your primary NIC.  Problem is, VPN metric changes every time you connect.  I've found good results changing both Ethernet and Wifi to 50.  You can do this in the  IPv4 properties of primary NIC, Advanced, then remove automatic metric box and type in 50.  Also you can do it in powershell with Set-NetIPInterface -InterfaceIndex 24 -InterfaceMetric 50 and replace the 24 with whatever the left number was on Get-NetIPInterface.

 

Netwow
Building a reputation

I adjusted the metric last week and no change. The user can map the drives using the IP address but not the FQDN. I can ping FQDN.
ConnorL
Meraki Employee
Meraki Employee

Might be barking up the wrong tree but I've seen times before where Windows will try and mount the drive using the Client VPN credentials which causes issues. Try giving this a go:

 

  • Go to C:\Users\*username*\AppData\Roaming\Microsoft\Network\Connections\Pbk
  • Right click rasphone and Open With > Notepad
  • Edit the line "UseRasCredentials=1" and change this to 0
  • Save the file and reboot (just to be on the safe side)
  • Try and connect to VPN again and it shouldn't now try and use the VPN credentials for that network drive

This was mentioned a little while back on our forums also (link) but I found this out a while ago in my previous job.

 

Let me know how you get on, and stay safe out there!

 

Kind regards,

--

Connor Loughlin
Network Support Engineer

.:|:.:|:. Cisco Meraki EMEAR 🇬🇧

For reference, many questions can be easily answered by searching our online documentation: http://documentation.meraki.com

Nash
Kind of a big deal

@BearTech Do you mean "VPN has lower priority" or "VPN has lower number/higher priority"?

If you want lower number/higher priority, you can get there using one of my powershell snippets to edit the saved setting in the rasphone.pbk file. That stores all of your saved connections through the Windows client.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels