[Blocking IP address 34.102.136.180. Something to do with WPAD]

55 minutes ago, TomPark said:

Hi Guys, 
A quick question are all of these machines that are affected domain joined machines?

Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?

Regards,

Tom,

 

Yes the machines are all joined on the domain, and we do  not use any proxy configuration using wpad.

 

It's Like Jkay said, the Cisco Anyconnect client is adding the ".co.uk" suffix to the DNS Search list, but only when it is connected. I can remove the entry manually form the adaptor settings when connected and everything is fine. As soon as the VPN re-connects the extra suffix is added back again.

 

I have gone over our Cisco configuration, I can find our main company domain entry but there is nowhere I can find the ".co.uk" entry.

[Blocking IP address 34.102.136.180. Something to do with WPAD]

We are not using split tunnelling on our VPN (we need to remote onto customer sites and need to use our Office public IP), so I don't think it's actually Split Tunnelling causing it.

There are some users who are not having this issue, when they ping "wpad" off the VPN it adds our company domain to it and it resolves as expected. When they are on the VPN it does not resolve at all, so I assume it is not adding the ".co.uk" to it.

The only difference I can see is that the effected PC's are running the 2004 build of Win 10 and the ones that are working OK are running the 1903 build. All other aspects of the VPN are the same.

 

We are going to upgrade a PC from 1903 to 2004 overnight and see what happens

[Blocking IP address 34.102.136.180. Something to do with WPAD]

12 minutes ago, JKay said:

We've seen a similar issue, found that the root cause was our Cisco Anyconnect clients and how split brain DNS is operating. It seems to be resolving hostnames it cannot contact over the VPN by appending ".co.uk" to them. If I try to ping "WPAD" on the VPN there is a delay while it tries to contact devices over the VPN, then when it fails resolves as "wpad.co.uk". Image shows a machine on the VPN vs off.

I can only assume something similar is happening with the DNS on your clients.

Spot on!

I am using AnyConnect too, when I drop the VPN I get "wpad" resolving correctly to "wpad.mydomain.co.uk" as it should. When connected it resolves to the blocked IP

[Blocking IP address 34.102.136.180. Something to do with WPAD]

The weird thing is this only started after the detection engine update to 21960, today. They are all being blocked by the anti-phishing black list which must have had this added to it. 

Prior to that the last block was 2 months ago and was blocking what I would normally expect

[Blocking IP address 34.102.136.180. Something to do with WPAD]

Since the update was applied today 09/09/2020 @13:03. I am getting multiple "Address has been blocked" pop ups related to wpad.dat and all for IP address 34.102.136.180 which seems to belong to Google!

Any Ideas?

[GUI won't open]

I would check your policy settings under <user interface elements>/<start mode>

 

I bet it's set to "minimal" if so change it to "full" and once the policy gets pushed you should be able to open the GUI