Excessive DNS Requests on Port 53 During AnyConnect VPN Sessions

Available Languages

Download Options

  • PDF     (3.5 KB)
    View with Adobe Reader on a variety of devices
Updated:May 14, 2026
Document ID:225914

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

After implementing Remote Access VPN (RA-VPN), users connecting via Cisco AnyConnect are generating dozens of DNS requests on port 53 to the secondary DNS server. This behavior is observed in the Activity Monitor for all users connected to the VPN tunnel and results in numerous allowed requests flooding the tunnel. This excessive DNS activity is not occurring when users connect via Zero Trust Access (ZTA), indicating that the issue is specifically related to the AnyConnect VPN connection method.

Environment

  • Product Family: Secure Access

  • Implementation: Remote Access VPN deployment

  • Comparison environment: Zero Trust Access (ZTA) - not experiencing the same DNS flooding behavior

Resolution

Investigating the excessive DNS requests requires log collection and analysis to identify the root cause of the DNS flooding behavior. The log collection includes collecting packet capture that includes PID for each packet to determine what application on an endpoint is generating the traffic and Process Monitor output.

Cause

The analysis showed this amount of DNS traffic is expected.

Related Content

Revision History

Revision Publish Date Comments
1.0
22-May-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Aleksandra Furgala
    Technical Consulting Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products