VPN DNS issues on Win 7 and not XP Pro

[rrfd43]

I have deployment of 6 MDT's on my vehicles. Two terminals have been in service for some time now and run Win XP pro service pack 3. There is a Cisco AnyConnect client that connects with a certificate to the county server and recieves the CAD data.

I use Verizon air cards (3G and now 4G). The Verizon card gets service and then or course the VPN connects across it to the county server. I have to manually assign the county DNS address for the air card to allow the computers to properly connect and surf the web. The air card holds this manual DNS and work fine in. When the VPN connects it will "manually" assign an IP, subnet, and gateway. It does not show a DNS. On the XP machine this is not a problem, the web works fine.

On the Win 7 machine I have the problem. The air card DNS is manually assigned like the XP and the VPN is the same (no DNS noted). This here is the problem. unlike the XP the Win7 machine will NOT negotiate DNS across the tunnel and will NOT surf the web. I can fix this by entering the county DNS into the VPN manually but it removes this entry every time it reconnects. This cant stay this way becuase the average user will never figure out how to go here and re-assign it every time.

Interestingly if I connect across wireless at the station and bypass the air card I have the same problem. Works XP not 7.

All machines are Toshiba T900 tablets, same vpn, same air card.

What do I have to change, switch etc in Win 7 to make this work?

Can anyone add some help?

[JAYMZ]

Check your LAN manager authentication in the Windows 7 local security policy. And make sure that Windows Firewall is not blocking port 139 as well. Are the 4g cards working in the XP machines? Are there any new cards/IPs in the system? Are you using static IP addressing? If so are all your ACLs on the VPN concentrators configured to allow those static IPs?

[rrfd43]

The lan manager authoization is not defind. I'm not sure what to change it to.

Also this set up works fine on XP, just does not work on win7. That is why I think there is some check box or setting that causes the problem.

I disable windows firewall and run symantec endpoint security with the network protection. Also the same program on the xp machine. I disabled this and got the same result -no dns on the tunnel.

[JAYMZ]

I checked my windows 7 laptop on my VPN and I have LM and NTLMv2 enabled. And I think the network DNS servers on your local machine may need to be changed for the VPN, but I don't remember off hand where to do that.

[tvsjr]

With no offense to my esteemed Yankee colleague, I think matters are being overcomplicated a bit.

First, check my assumptions.
The machines boot up and connect to the Internet through an Aircard of some description. They receive an IP and public DNS servers.
Then, the machine connects to a VPN concentrator or firewall (I'm guessing an ASA of some size?) via Anyconnect. There, it receives a private IP on the county network. I'm assuming this connection is a full tunnel - not split, where non-county traffic goes straight to the Internet and not across the tunnel.
Good so far?

Does AnyConnect push DNS settings to the XP machines, or are you doing it through some other method? If the former, you have a Cisco problem. If the latter, you need to reevaluate how you're doing things.

I have a few ASA setups supporting dozens of users, running AnyConnect. Where full-tunnel is concerned, the users receive a private IP and internal DNS servers when they connect. The internal DNS resolves the internal zone and forwards the rest, allowing the machines to access internal and external sites as if they were sitting at a desk. These users run everything from Linux to Mac to WinXP/Vista/7, and it all works fine.

When you talk about connecting across wireless at the station - I assume you're connected to wireless and then firing up the AnyConnect VPN?

If you are using settings in AnyConnect to push DNS and 7 isn't getting the hint, you have a configuration error. Send me the appropriate sections of your running config (probably best via PM or email - my user name at my user name dot com). An ipconfig /all and a route print from a working XP box and a jacked-up 7 box would also be helpful.

[JAYMZ]

Based on the fact that the XP machines are in fact receiving their DNS through the tunnel it would seem reasonable that the tunnel is a full tunnel with no (or little) errors in configuration at all on the Cisco side. The VPN doesn't care what the client is, it just enables the communication to the remote site and back. If the host operating system is not doing anything with the DNS than it would be a fairly safe bet to assume that the it is the operating system is the culprit.

[Bill_G]

I haven't played with win7 yet, but the native vpn and ipsec settings in XP had a box to be checked that said something along the lines of "accept host dns" buried in the tcpip screens. You had to drill for it.

[rrfd43]

thanks for all the replies. Still no luck. I did talk with the county: I am running Anyconnect 2.3. Versios and 2.4 and 2.5 have win 7 compatability and may be the problem. I hope (praying) to have news on monday.

[tuckerm]

Windows 7 32bit or 64?

[tvsjr]

thanks for all the replies. Still no luck. I did talk with the county: I am running Anyconnect 2.3. Versios and 2.4 and 2.5 have win 7 compatability and may be the problem. I hope (praying) to have news on monday.

Ew, 2.3? That's your problem. Bump the AC version up on the ASA and let it push the update out to the clients.

[rrfd43]

64 bit windows 7. I think the county made some change it has held the dns for 24 hours and numerous restarts...

[tuckerm]

We had some issues with Cisco VPNs and Windows 7 64bit. At the time, Cisco wasn't supporting the client for it on our laptops. I'm sure this has since changed, but, if you've got an old client it could be throwing some issues.