Archive for February, 2010

Funky DNS resolution with cisco VPN and Vista/7

You have Vista or Windows 7 and finally got the latest version of Cisco VPN client (5.0.06.0110) to install and apparently work. All is well until you try to get to some other internal host after a few minutes or more.  Suddenly no other hosts than the original host resolve! You ping your internal DNS server by address and it responds. NSlookup reports timeouts and cant resolve the host name for the internal DNS server. What the heck is going on here? Is it another Cisco “issue”? The clue is that everything works fine on XP but not on Vista/7.  So what changed between XP and Vista/7?  Well, it turns out that Microsoft rewrote the IP stack for Vista/7 and among other things added a nifty little feature called autotune.  This is supposed to automatically tune the recieve window size based on latenacy, usage and the color of your underware.  So guess what?  Since you don’t resolve internal names over the VPN very much (and you have green undies on), name resolution gets tuned down to practically nothing.  So when you try to use it, it times out.  The fix is to turn off autotune. You can do this as follows:

Disable TCP Auto-Tuning

1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=disabled

Enable TCP Auto-Tuning

1.Open elevated command prompt with administrator’s privileges.
2.Type the following command and press Enter:
netsh interface tcp set global autotuning=normal

How about that law of unintended consequences???

 

Update:  Sometimes the above does not entirely fix the problem.  Do the following (note: article was originally written for Server 2003 but appears to be applicable to this case too)

 

The Domain Name System (DNS) client screening feature lets Microsoft Windows Server 2003-based computers determine whether a DNS server is reachable from the configured interface. However, this feature mayalso prevent access to a DNS server that is otherwise available.

This article describes how to turn off the DNS client screening feature.

To turn off the DNS client screening feature, you must first create the ScreenUnreachableServers registry entry. To do this, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type ScreenUnreachableServers, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. Type 0 in the Value data box, and then click OK.
  7. Exit Registry Editor.

    Note You must stop and then start the DNS Client service for the registry change to take effect.

In some configurations, the DNS client screening feature may prevent access to a DNS server that is otherwise available. Typically, this occurs on a server that has more than one network adapter interface. The operating system determines whether a DNS server is reachable, together with the DNS client screening feature.

It is by design that the DNS Client service does not access the DNS servers that appear to be unreachable from the interface on which they are configured. The DNS servers are marked unreachable for the server even though they may be available to the other network adapter on the same server.

2 Comments



SetPageWidth