https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/service-route-configuration-dns-resolution-seems-to-fail/m-p/275017#M633 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>I'm currently staging a PAN-VM (8.1.3 KVM) and have hit an issue.</P><P>&nbsp;</P><P>The setup:</P><P>&nbsp;</P><OL><LI>I've configured the interfaces, zones, routing (static default route) etc. correctly.</LI><LI>I've modified the service router configuration to use the Internet facing dataplane interface IP (i.e. customized and not use management interface). That is I allow DNS, NTP, Palo Alto updates to access the Internet via dataplane outside/untrust interface.&nbsp;</LI><LI>Under device--&gt;services tab I have entered for DNS server settings (8.8.8.8) primary and 8.8.4.4 (secondary).</LI></OL><P>The issue:</P><P>I commit and immediately after I test pings from the CLI to: 8.8.8.8 sourcing from the outside interface and its sucessfully. I then ping google.com (either continuouly or specifying a ping count of 5) and it works 100%. However, after a few moments issuing new pings to google.com fail and I get the "ping: unknown host google.com". Further, I observe the PAN FW can no longer contact the licensing server or palo alto update server as it relies on successful DNS lookups. I turn my attention back to pings to the IP 8.8.8.8 and it doesn't skip a beat. 100% success.</P><P>&nbsp;</P><P>Any further commits and immediately pings to google.com work again (continuous or count specified ping)&nbsp; will yield 100% success. However, as soon as I kill the continuous pings (or use count specified ping) and wait a moment, the pings to domain names (google.com) fail again.&nbsp;</P><P>&nbsp;</P><P>Any ideas?</P><P>&nbsp;</P><P>Cheers,</P><P>John</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Jul 2019 05:26:18 GMT JohnRoberts 2019-07-05T05:26:18Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/service-route-configuration-dns-resolution-seems-to-fail/m-p/275017#M633 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>I'm currently staging a PAN-VM (8.1.3 KVM) and have hit an issue.</P><P>&nbsp;</P><P>The setup:</P><P>&nbsp;</P><OL><LI>I've configured the interfaces, zones, routing (static default route) etc. correctly.</LI><LI>I've modified the service router configuration to use the Internet facing dataplane interface IP (i.e. customized and not use management interface). That is I allow DNS, NTP, Palo Alto updates to access the Internet via dataplane outside/untrust interface.&nbsp;</LI><LI>Under device--&gt;services tab I have entered for DNS server settings (8.8.8.8) primary and 8.8.4.4 (secondary).</LI></OL><P>The issue:</P><P>I commit and immediately after I test pings from the CLI to: 8.8.8.8 sourcing from the outside interface and its sucessfully. I then ping google.com (either continuouly or specifying a ping count of 5) and it works 100%. However, after a few moments issuing new pings to google.com fail and I get the "ping: unknown host google.com". Further, I observe the PAN FW can no longer contact the licensing server or palo alto update server as it relies on successful DNS lookups. I turn my attention back to pings to the IP 8.8.8.8 and it doesn't skip a beat. 100% success.</P><P>&nbsp;</P><P>Any further commits and immediately pings to google.com work again (continuous or count specified ping)&nbsp; will yield 100% success. However, as soon as I kill the continuous pings (or use count specified ping) and wait a moment, the pings to domain names (google.com) fail again.&nbsp;</P><P>&nbsp;</P><P>Any ideas?</P><P>&nbsp;</P><P>Cheers,</P><P>John</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 05 Jul 2019 05:26:18 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/service-route-configuration-dns-resolution-seems-to-fail/m-p/275017#M633 JohnRoberts 2019-07-05T05:26:18Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/service-route-configuration-dns-resolution-seems-to-fail/m-p/276860#M636 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/49828">@JohnRoberts</a>: Is the issue still persistent?</P><P>I would suggest to have a log in the traffic log, if you got any dns response packets, while you experienced the issues.</P><P>Nonetheless, the current preferred PAN-OS release is 8.1.8.</P><P>If the issue is persitant after upgrading, please test, if other dns resolvers work better for your environment</P> Tue, 16 Jul 2019 16:41:02 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/service-route-configuration-dns-resolution-seems-to-fail/m-p/276860#M636 Chacko42 2019-07-16T16:41:02Z