topic Re: Site-to-Site VPN random issue in General Topics

Site-to-Site VPN random issue

ce1028 — Wed, 23 Aug 2017 21:27:36 GMT

I have Site A setup with a site-to-site VPN with Site B. Site A contains all the resources (DC, email, fileserver, etc). The firewall in site B is configured as DHCP for the local clients. Primary DNS is setup for internal AD DC/DNS server. Secondary is public DNS servers.

We noticed randomly clients can not access certain local resources. Unable to ping them by hostname. If you run nslookup, they do resolve, but unable to ping or traceroute to them.

If you ping the device by IP, it will ping and then it will also ping by hostname.

I'm seeing a lot of traffic in the logs for the secondary DNS server, but it should really only use that if the primary is down (which it is not).

Has anyone ever seen this behavior?

Re: Site-to-Site VPN random issue

Remo — Wed, 23 Aug 2017 22:39:38 GMT

Is the secondary (public) DNS server also available over the vpn or directly from the clients?

When this problem occurs, is the tunneö then already established?

But to answer your last question, I haven seen this behaviour before. I have a similar setup in place with 2 palos connected over a s2s vpn. But in my case everything is routed over vpn. Every connection from site b has to go over the tunnel to site a.

Re: Site-to-Site VPN random issue

ce1028 — Thu, 24 Aug 2017 01:40:52 GMT

Thanks for the response. Only internal subnets are routed over the tunnel. Internet (and public DNS) go out the outside interface.

The tunnel is established because some resources are available at the same time. It's a very weird issue. If I hardcode the internal DNS on the windows client, it works fine.

It's almost as if PAN is doing round robin with the DNS