Problems with Cisco VPN?

Discussion in 'iPhone Tips, Help and Troubleshooting' started by CaptSaltyJack, Jul 10, 2008.

  1. CaptSaltyJack macrumors 6502

    Jun 28, 2007
    So I added a new Cisco (IPsec) VPN config and connected just fine, I get the blue VPN logo in the status bar at the top. But I can't surf to my company's internal web sites. It seems like the iPhone is not using our company's DNS servers. This works just fine as expected on the Mac, if I run the Cisco VPN software and connect, then my DNS server on the Mac is temporarily changed to my company's servers.

    Anyone else experience this?
  2. kevyg macrumors newbie

    Jul 29, 2007
    Yep, no DNS

    You're right on the money - it's not using the DNS servers supplied by the remote VPN server/concentrator. If I try to hit an internal server by IP address, I get there - which means the actual IPSec tunnel is up and functioning. Confirmed that in the logs on our VPN concentrator, too. But trying to get to anything by name doesn't work. Which probably makes VPN completely useless at this point.

    How does this stuff get past QA testing? Terrible. Take a lap.
  3. CaptSaltyJack thread starter macrumors 6502

    Jun 28, 2007
    Wow, pretty big screw-up. :) I'll have to report it officially to them, I'd recommend others do so too
  4. outz macrumors 6502

    Jul 17, 2007
    i noticed the dns issue this morning after purchasing and attempting to login via vpn. how lame.
  5. kevyg macrumors newbie

    Jul 29, 2007
  6. demiurgical macrumors member

    Jun 29, 2007
    I just VPN'd in from a 1st generation iPhone with 2.0 firmware. Was able to load several intranet pages w/o any problems.

    side note: I was having problem connecting to VPN at first but then I figured out you don't need your domain prior to your username and that connected me in right away.

  7. svento macrumors newbie

    Jun 30, 2007
    I'm seeing this too. I was able to finally access my company's exchange server by finding out the ip address of it and putting it in the "server" field of the email setup.

    I also tried to manually set the dns server address in the network setup, but that didn't work. I would be fine with this solution since I don't expect my company to change dns servers too often! Anyone have any ideas why this doesn't work? (I tried delimiting the addresses with spaces and commas.)
  8. CaptSaltyJack thread starter macrumors 6502

    Jun 28, 2007
    This is still broken as of OS 3.0. Total crap.
  9. roderickm macrumors newbie

    Nov 12, 2009
    It's not lame, or terrible. If you configure the VPN Concentrator which networks you want to tunnel ("split tunneling"), then you should configure the concentrator for the domains that use your internal DNS servers ("split dns").

    Create an access list to describe the networks you wish to tunnel:
    asa(config)# access-list VPN_SplitTunnel remark My Private Network1
    asa(config)# access-list VPN_SplitTunnel standard permit 
    asa(config)# access-list VPN_SplitTunnel remark My Private Network2
    asa(config)# access-list VPN_SplitTunnel standard permit
    ...then in your group-policy, set the policy to tunnel only the networks specified, and point to the access-list you just created:
    asa(config)#group-policy DfltGrpPolicy attributes
    asa(config-group-policy)# split-tunnel-policy tunnelspecified
    asa(config-group-policy)# split-tunnel-network-list value VPN_SplitTunnel
    while you're still in your group-policy, specify your dns servers and the internal domains that should use them:
    asa(config-group-policy)# dns-server value
    asa(config-group-policy)# split-dns value domain.internal
    With the above settings, when the VPN client looks up server.domain.internal or, it will query and

    I had the same problem described above on my iPhone before I set up split-dns. Even when a split-tunnel-policy is set and dns-servers are given, the iPhone will continue to use its own (3G or WiFi assigned) DNS servers that don't know your internal DNS. Add the split-dns domains to your group-policy and it will work.

Share This Page