Just deployed a MX100 yesterday replacing an ASA 5506, mainly to accommodate more VPN users. Going to cut to the chase. Most users are working fine over the VPN, with one strange group of users with problems. It seems as if anyone who is using AT&T for internet at home IS able to connect to the VPN, but UNABLE to access resources. They can ping servers by internal IP addresses, but when trying to ping by name, they get a response of a public IP address that isn’t associated with our networks. (example 23.217.138.110). So these users have no access to internal resources.
Sounds like DNS, right? Here is the weird thing, more than one of these users has a hot spot they can connect with…they literally unplug from their home AT&T network, connect to the hot spot and 10 seconds later, connect to the VPN and can ping by name, open mapped drives, the works.
Here may be another important piece of the puzzle…the main connection at the office is a 500Mb AT&T pipe, perhaps something in this mix doesn’t like AT&T networks at both ends?? I don’ know! Like I said, about 8-10 users who have AT&T at home are having this issue, at least another 40 users who don’t aren’t having issues.
This is my first Meraki deployment, I’ve never seen a more simple setup with a client VPN. In the DNS section, I have 2 internal DNS servers set in the Custom Nameservers field.
I don’t have much information to give on the topic but I am running into the same issue. Have a handful of employees with AT&T home internet and they have constant issues. Talked with AT&T support and the answer I got was along the lines of they are aware of the issue but didn’t have any type of resolution to give.
Add the domain to the end of the dns name. I have a similar issue for anyone who wasn’t on a system that was originally domain connected for some reason. ie. \\computer becomes \\computer.domain.local
Had the exact issue the other day. Running an MX250, some users full, some split tunnel. One of my engineers running split tunnel with AT&T home internet was getting a very similar IP when pinging internal resources. Had him set his machine to quad 9 and it fixed the issue. Also suggest pushing a dns suffix if possible.
I had this EXACT problem except with Verizon Fios users.
The solution is to change the DNS servers on the users home router. It doesn’t matter if you are trying to shove everything through the tunnel or split.
For me, I used OpenDNS servers, and they are working great. I imagine Google DNS will work great too. You just need to get off of the ISP DNS.
Unfortunately this means someone needs to change the DNS on the users router. It’s easy enough to do, but before touching “personal” equipment make sure you clear it from above, and make sure the user knows that they can call ATT to have anything you do reverted if necessary.
Connect to a client’s machine with the issue, then the issue a ping or nslookup command to a (bunch of random numbers and letters here) and I bet even though that address doesn’t exist an IP will show up. (most likely to an advertisers search page $$) best thing to do is switch dns on router or client pc.
Here is a script you can use(need admin):
It will look up the hostname: “aldsfkldskflsdkflds43242134ffsdfsd”
@echo off
set setdhcp=0
set s=0
ping -n 3 127.0.0.1 > nul
:begin
netsh interface show interface | find "Connected" > connected.txt
find /C "Connected" connected.txt >connected2.txt
for /f "tokens= 1-2 delims=:" %%A in (connected2.txt) do set skip=%%B
del connected2.txt
set skip=%skip:~1,3%
set /a exittest=%skip%-1
for /f "tokens=1-8 delims= " %%A in (connected.txt) do set con=%%D&&set con2=%%E&&set con3=%%F&&set con4=%%G&&set con5=%%H&&goto next
:next
if "%con2%" equ "" set value="%con%" && goto done
if "%con3%" equ "" set value="%con% %con2%" && goto done
if "%con4%" equ "" set value="%con% %con2% %con3%" && goto done
if "%con5%" equ "" set value="%con% %con2% %con3% %con4%" && goto done
set value="%con% %con2% %con3% %con4% %con5%" && goto done
:multiple
if %skip% equ 1 goto end
if %s% equ %exittest% goto end
set /a s=%s%+1
for /f "skip=%s% tokens=1-8 delims= " %%A in (connected.txt) do set con=%%D&&set con2=%%E&&set con3=%%F&&set con4=%%G&&set con5=%%H&&goto next
:done
if %setdhcp% equ 0 goto dhcp
nslookup aldsfkldskflsdkflds43242134ffsdfsd | find "Name:"
if %errorlevel% equ 1 goto dhcp
echo dns set
netsh interface ipv4 set dns name=%value% static 8.8.8.8 primary validate=no
netsh interface ipv4 add dns name=%value% 8.8.4.4 validate=no
ipconfig /flushdns
goto multiple
:dhcp
netsh interface ip set dns %value% dhcp
ipconfig /flushdns
goto multiple
:end
if %setdhcp% equ 0 set setdhcp=1 && goto begin
del connected.txt
exit