topic Re: DNS server can't access to management interface in General Topics

DNS server can't access to management interface

IsaacCasal — Wed, 04 May 2022 11:44:26 GMT

Hello,

I don't know if this is a normal behavior or not. We have 3 DNS servers.
DNS_A
DNS_B
DNS_C

We are not able to ping or ssh/http to the management interface from the DNS server, if this DNS server is configured as DNS server in the firewall.

When we configure DNS_A and DNS_B as a primary and secondary DNS servers in the firewall, we are not able to ping or access from those DNS servers to the mgmt interface. But DNS_C is able to ping with no problems.

When we configure DNS_A and DNS_C, they are not able to ping, but DNS_B can do it.

Why is it? I did a tcpdump and see that all pings arrived to the firewall but there are only replies from fw to the server that is not configured as DNS.

Thanks!

Re: DNS server can't access to management interface

aleksandar.astardzhiev — Wed, 04 May 2022 13:24:53 GMT

Hey @IsaacCasal ,

Are you using default service route for DNS traffic through the management interface, or you are using different service route - either for dns service, or specific destination?

Re: DNS server can't access to management interface

IsaacCasal — Wed, 04 May 2022 13:52:04 GMT

Hi! Thanks for the reply. The DNS traffic has a custom configuration in service routing, for a specific interface, not the default (management). But if I am not wrong, this is referred to a specific port, in this case service: "dns", so it has to be not only for layer 3 routing, but also port 53 traffic. So it will not affect the ping or ssh, and so on. Am I wrong?

Thanks!

Re: DNS server can't access to management interface

Stephen_Muma — Thu, 14 Dec 2023 00:14:52 GMT

Was this ever resolved? I am facing the same issue after changing where the GW resided on a switch, but now the GW is on the PA itself and can ping everything except for one of the configured DNS servers

Re: DNS server can't access to management interface

Adrian_Jensen — Mon, 18 Dec 2023 19:43:03 GMT

The OP and you have not provided a lot of debugging information, so its a bit difficult to guess, but there are a couple important caveats to check for:

~~The management interface IP should never exist on the same subnet as a regular interface on the PA.~~ Edit: Actually.. I think I was thinking about the HA interface IP here... management IP might be OK, would have to re-read documentation.
If you have previous made service route configuration changes, look to see if a management destination route has been added (Setup->Services->Service Route Configuration->Destination), you may be forcing traffic to certain destination out other interfaces.
If a separate device is to contact the management interface, verify that the source is allowed as a permitted address if an ACL has been added (Setup->Interfaces->Management).