Jump to content
Welcome to our new Citrix community!

Netscaler VPN - DNS lookup not working


Rowen Gunn

Recommended Posts

Good morning,

 

I've setup a new test VPN gateway on my NS 11.1 pair and my test clients can connect however they can't reach anything unless they use the FQDN. For instance a VPN user can't ping testmachine but they can ping testmachine.domainname.com. The same seems to be for all DNS requests despite that I've put in a name server and dns suffix into the gateway settings.

 

I also noticed I can't ping from the NS to anything on the network without the .domainname.com suffix, even though I've added a DNS suffix in the main Netscaler setup as well. Any help pointing me in the right direction would be appreciated, Thank you!

 

Screenshots of session profile and DNS settings:

 

 

post-12545200-0-71614900-1468418089_thumb.jpg

post-12545200-0-72784900-1468418095_thumb.jpg

post-12545200-0-26735300-1468418101_thumb.jpg

post-12545200-0-45108900-1468418108_thumb.jpg

post-12545200-0-45461400-1468418113_thumb.jpg

Link to comment
Share on other sites

Kaleb,

 

Thanks! Now I can ping from the netscaler with FQDN however my VPN users still can't.

 

What's happening is that when a Netscaler VPN user pings PRODSERVER the Netscaler VPN attempts to ping the internet or my home network, it will not attempt to ping PRODSERVER.companydomain.com. I can however reach all of my company servers by IP address and FQDN just fine, just not by host name.

Link to comment
Share on other sites

I see you left the DNS Virtual Server option open in your Network configuration tab.

 

What happens when you configure the internal DNS vServer there?

 

I know there were some problems with DNS resolution that were supposedly fixed in 11.0 releases but I also heard some people still had trouble getting it to work.

 

I found another ticket that covers a similar problem and there should be a fix on its way for your model MPX.

http://discussions.citrix.com/topic/353132-netscaler-gateway-ssl-vpn-dns-name-resolution-for-internal-ressources-not-working-with-fqdn/

Link to comment
Share on other sites

I just tried turning off IPv6 with no change, VPN users still try to access the WAN when a host name is contacted vs accessing the VPN corporate network. 

 

There is no DNS vServer listed in the pull down, I'm not 100% certain how to set up one. Prior to the 11.1 upgrade (when we had 10.5) this worked on the VPN just fine so I didn't need a DNS vServer.

 

Attached is a screenshot of what it does. When I try to ping MHVD-ROGUNN (an internal Maxhealth.com machine) the Citrix VPN attempts to hit the WAN first, despite split tunneling being set as off. If I ping by the FQDN it can resolve and access the correct internal machine.

 

 

post-12545200-0-15371500-1468506192_thumb.png

Link to comment
Share on other sites

You can find your DNS servers here:

Traffic Management > DNS > Name Servers.

 

 it is likely configured already though, since FQDN does work...

A NSLOOKUP should show you a DNS server (if any) when connected to the VPN.

 

http://www.carlstalhood.com/netscaler-gateway-11-ssl-vpn/#Prerequisites

Here you can some instructions on how to configure the required preq's but you will have likely seen this article already.

 

This might be worth logging a support call over if you have a maintenance program

  • Like 1
Link to comment
Share on other sites

  • 1 month later...

Hi!

Has there been a solution to the issue? I'm facing the same in two different environments.

 

A Solution was never found, with 11.1 47. I ended up migrating to the new 11.1 48 in which the DNS bug appears to be fixed. However Insight doesn't work at all in 11.1 versions and also every 4.5 hours now I have to reboot one of my HA pair or the VPN goes down. Hurray for QA! I wish I'd never installed 11.1 but sadly it seems you can't downgrade from 11.1 either, yet another bug.

  • Like 1
Link to comment
Share on other sites

  • 3 years later...

We have the exact same issue here still, in 2019.

Let's say:

1.your home network has a dnssuffix home.local

2.your corp network has a dnssuffix corp.com.

 

Check your ipconfig settings in cmd you will see your home network physical adapter has a suffix setting "home.local". but the citrix virtual adapter doesn't have any suffix configured.

 

When you try to ping a host "host-a", actually it will show you are pinging "host-a.home.local", then you will not able to get the correct result in most of the case.

 

I don't know why Citrix don't use a normal settings like Cisco. Cisco virtual adapter has a normal DNS settings with DNS suffix configured and works much much better than Citrix.

 

I guess maybe Citrix either don't care about this issue or they can not fix it due to some limitations.

 

We have use Citrix full VPN for a while. DNS related issues is the biggest problem for us. Sometimes we even to has to use an IP address to connect.

 

But if you really care about DNS function, my suggestion is dont use Citrix VPN before they fix this issue.....

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...