MacOS – Cisco VPN Client Interrupts LDAP Server Connectivity


I run an LDAP server on my home network to store accounts, automount entries, etc. I spent a lot of time getting the LDAP server configured properly for OS X clients, and everything seems to work, except when I login to my employer's VPN using Cisco VPN Client on OS X 10.5.

So far, I've traced the problem down to the fact that the OS X Directory Service does a reverse DNS (PTR) lookup for the LDAP server, and it appears the Cisco VPN Client is intercepting those DNS requests. To figure this out, I enabled debugging in the directory service, and the following appears in the debug log:

2010-02-11 18:02:02 EST - T[0xB031C000] - CLDAPConnectionManager::CheckFailed - checking 1 node connections
2010-02-11 18:02:02 EST - T[0xB031C000] - CLDAPNodeConfig::CheckWithSelect - good socket to host but failed check, clearing from poll

Digging further with tcpdump, I found that I can do DNS lookups for the directory server's hostname, but reverse lookups aren't getting to my LAN's DNS server at all. Instead, the VPN client appears to be eating them and refering them to

Now, I know that this is how things are normally supposed to work when you query an internet DNS server for a private network address in RFC 1918 address space. However, the query is supposed to be going to my LAN's DNS server (just dnsmasq running on a Linksys WRT54G.) And, when the VPN client isn't running, these requests come back fine, and OS X can connect to my LDAP server, and I'm happy. But once I start Cisco VPN Client, it seems to be intercepting these requests, which blocks access to my LDAP, which means my automount shares don't come up, which is very annoying.

So, does anyone know why the VPN Client would do something like this, and can anyone think of any workarounds?

Best Answer

It sounds like the Cisco VPN Client has been configured to block access to your local network and only provide network connectivity to the internal VPN network. This is normally done for security reasons to prevent bridging the networks together. As part of this it has set your DNS settings for the VPN to be the VPN LAN ones so that you can resolve DNS names of your company network hence your problem.

There will be an option to "Allow Local LAN access" in the VPN settings but that is normally administratively turned off. Here is a link showing you How to turn on Allow Local LAN Access but your VPN admins have probably locked that down to prevent it.

Related Question