DNS not working in my VPN

SOLVED
Alain_Bensimon
Getting noticed

DNS not working in my VPN

Hello,

I have setup the VPN client.my main subnet is 10.69.11.0/24 and my client VPN is 10.69.69.0/24.

client vpn.JPG

I have specified name servers as follows, 10.69.11.16 being the IP of my DC/DNS server.

ns.JPG

from a vpn client, I can ping, reach any resource using the IP address, but I can't resolve names.

I just switched from my old ASA 5505 to this MX64, and with the old ASA it was working fine.

Thank you

 

1 ACCEPTED SOLUTION

You either don't have a DNS suffix configured on your machine, or on the client VPN, or both (you should need just one of these to make it work).

 

If you use my client VPN wizard it will setup the client VPN with the correct DNS suffix to make this work.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

View solution in original post

23 REPLIES 23
pmhaske
Meraki Employee
Meraki Employee

@Alain_Bensimon Curious to know if you can ping the DNS sever from the client VPN host and what packet captures taken on the client vpn interface show when you are trying to reach via hostname. Also, check if the local firewall on the DC is blocking non-local subnets like 10.69.69.0/24.

@pmhaske 

I can ping the DNS server, and I can ping any computer or server of the network, connect to VM's, but only using IP's.

The name resolution is not working.

@Alain_Bensimon Have you tried using servername.domain.local (fqdn)? Or are you using servername?

@pmhaske ok, so that's the thing I just discovered. if I use the FQDN, it works.
In my old ASA configuration, I had this.asa_domain.JPG

And in the meraki I don't have that option.

So that is the issue.

You either don't have a DNS suffix configured on your machine, or on the client VPN, or both (you should need just one of these to make it work).

 

If you use my client VPN wizard it will setup the client VPN with the correct DNS suffix to make this work.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

@PhilipDAth Thank you, That seems awesome. I think I will use your script deploy in on all computers.

@PhilipDAth I have tried to use your script, but I get an error. Can you help?

PS C:\Users\cayyzalbe\Desktop> C:\Users\cayyzalbe\Desktop\New Text Document.ps1
Unable to remove existing outdated instance(s) of Polygon VPN profile: Access denied 

PS C:\Users\cayyzalbe\Desktop> 

Use an Admminstrator PowerShell.

@PhilipDAth That's what I was thinking, but I don't have the option to run it as an administrator

 

TeamViewer_1KPhHw196v.png

 

Click the Start button, type in Powerhsell, right click, run as Administrator.  Then run the script inside of PowerShell.

 

https://www.digitalcitizen.life/ways-launch-powershell-windows-admin/ 

@PhilipDAth Yes It works great. I just to find a way to push it to some users in my AD. Maybe through a logon script.

Create a computer (not user) group policy to run the powershell script.

http://woshub.com/running-powershell-startup-scripts-using-gpo/ 

 

For bonus points, you could create a group of computers to deploy it to and have the group policy target that group.

@PhilipDAth Yes, I will create a GPO for that. By the way, is is possible to include in the script an icon for the rasphone shortcut?

 

I found it: $ShortCut.IconLocation = "C:\WINDOWS\system32\SHELL32.dll, 135" (135 being the number of the icon I have chosen).

>By the way, is is possible to include in the script an icon for the rasphone shortcut?

 

There is probably some way.  I've never tried.  I'm sure Google has the answer ...

@PhilipDAth 

okay, so the script works great, but only if I run it from an admin account.

Otherwise, it does create the shortcut, but it does not create the VPN connection.

If I switch to the admin account, the connection is there, but from the user account, no connection, even though I have run the script from the user account  with admin rights.

>If I switch to the admin account, the connection is there, but from the user account, no connection, even though I have run the script from the user account  with admin rights.

 

That is unusual.  I typically deploy it from a computer-based group policy or a RMM using the SYSTEM account, and the users do see the connection.

@PhilipDAth 

Actually, here I even tried to run it manually, and PowerShell ISE tells me that the VPN was created, but I only get the shortcut with no connection.

 

Regarding the GPO, I have followed the tutorial in the link you've posted, but besides the Script being allowed through the GPO, nothing else happened. No shortcut, and no connection created. An I've checked through gpresult that the gpo has been applied.

>PowerShell ISE tells me that the VPN was created, but I only get the shortcut with no connection.

 

That happens if the script is not run with Administrator privileges.

 

I'm assuming you have a reasonably up to date Windows feature pack update installed?  I think it needs 1709 or something like that (which has been out for quite a while).

@PhilipDAth Yes, everything is up to date.

I made another try. I logged in as an admin, and ru the script it created the VPN connection, everything ok.

Then I logged inb as a domain user, and this is what I get, the shortcut is here, but no connection.

vpn.JPG

@PhilipDAth 

I have found this option: -AllUserConnection $true.

How can I add it to your script?

 

>I have found this option: -AllUserConnection $true.

 

That is used by the old Windows 10 VPN engine.  @Nash has written some scripts that use that engine.

https://github.com/gammacapricorni/happy-meraki-client-vpn 

@PhilipDAth Thank you, it worked with the link you gave me (I just had to change Encryption level from required to Custom).

Your script did indeed seem simpler, but for some reason, it was not creating the connection for all users.

 

Regarding the deployment with GPO, I have followed the tutorial of the link you gave me the other day, and I have tried on one computer, but despites the fact that the GPO was applied (I checked with gpresult), the script doesn't seem to start. No connection created at all.

 

Any idea?

@PhilipDAth Your script is definitely better, because it uses this new engine, and users can use the same shortcut to connect / hang up. If you find a way to make it active for all users, it would be great.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels