Troubleshoot AnyConnect DNS Queries to mus.cisco.com

Available Languages

Download Options

  • PDF     (193.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (235.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (240.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 1, 2022
Document ID:217713

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the behavior of the Anyconnect VPN Core module when it queries the fully qualified domain name (FQDN) mus.cisco.com in specific scenarios. This query occurs when the AnyConnect client attempts to determine if the endpoint has internet access and there is no VPN in use.

    Contributed by Peter Giang, Cisco BU.

    Contributed by Steve Sargent, Cisco BU Technical Leader.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • AnyConnect module installation.
    • AnyConnect Diagnostic and Reporting Tool (DART) Bundle creation.
    • Wireshark sniffer captures.

    Components Used

    The information in this document is based on these software and hardware versions:

    • Anyconnect core VPN module version 4.8.03052
    • Windows 10 Enterprise 10.0.18363 Build 18363

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    This document can also be used with these hardware and software versions:

    • Any Operating system (MacOS, Windows, Linux).
    • Any AnyConnect version prior to 4.10.

    Background Information

    AnyConnect queries to mus.cisco.com are expected by design.

    Note: There is an enhancement defect created for this behaviour. Cisco bug ID CSCvu39643. Queries to mus.cisco.com from the VPN core must not be performed if VPN module is not used.

    Problem

    When the AnyConnect VPN core module is not in use (no XML profile is configured for VPN connections), queries to mus.cisco.com are generated every 15 seconds.

    Solution 1

    Add a Domain Name System (DNS) entry on your DNS server, in order to resolve name queries to mus.cisco.com. If you do not manage a DNS server, forward such requests to a public DNS server.

    Once mus.cisco.com FQDN is able to be resolved, AnyConnect stops the query attempt.

    Solution 2

    Add a DNS entry to your Operative System (OS) hosts file in order to resolve the FQDN mus.cisco.com.

    Windows
    1. Press the Windows key.
    2. Type Notepad in the search field.
    3. In the search results, right-click Notepad and select Run as administrator.
    4. From Notepad, open the file: "C:\Windows\System32\Drivers\etc\hosts".
    5. Make the necessary changes to the file.
    6. Select File > Save in order to save your changes.
    Mac
    1. Open a Terminal window.
    2. Enter this command in order to open the hosts file with the nano text editor embedded in the OS: "sudo nano /etc/hosts".
    3. Enter your domain user and password.
    4. Make the necessary changes to the file.
    Linux
    1. Open a Terminal window.
    2. Enter the this command in order to open the hosts file with the nano text editor embedded in the OS: "sudo nano /etc/hosts".
    3. Enter your domain user and password.
    4. Make the necessary changes to the file.

    AnyConnect queries to mus.cisco.com

    Configure

    The instalation of AnyConnect VPN core module.

    Network Diagram

    Network Diagram

    ******************************************
    Date : 06/17/2020
    Time : 20:21:57
    Type : Warning
    Source : acvpnagent
    Description : Function : CDNSRequest::OnSocketReadComplete
    File: c:\temp\build\thehoff\negasonic_mr30.297045120452\negasonic_mr3\vpn\common\ip\dnsrequesct.cpp
    Line: 1147
    Timeout (per request) while trying to resolve [A] query mus.cisco.com via DNS server 10.88.240.69 (timeout interval = 10 sec)
    ******************************************

    Troubleshoot

    In order to confirm the proper operation, you can enable a packet capture on the egress interface of the endpoint with the use of Wireshark.

    Wireshark capture

    On the Graphic User Interface (GUI) of the AnyConnect client, the message "Network error. Unable to lookup host names" is displayed (as shown in the image).

    AnyConnect GUI error

    When any of the workarounds are applied you can also make a packet capture on Wireshark and use the DNS filter in order to confirm the constant queries to mus.cisco.com:

    Wireshark DNS capture

    On the GUI interface of AnyConnect client, the message "Ready to connect" is displayed (as shown in the image).

    AnyConnect GUI

    Tip: Even if you do not see the AnyConnect VPN core module on the GUI interface it does not mean the vpn core module is not in operation, search for the file VPNDisable_ServiceProfile.xml  under the directory "C:\programdata\cisco on Windows", and "/opt/cisco/anyconnect/profile" on Apple devices. On Linux this is not supported.

    Revision History

    Revision Publish Date Comments
    2.0
    01-Mar-2022
    Grammar correction.
    1.0
    01-Mar-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Alejandro Leon
      TAC HTTS

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products