topic Re: Global Protect not using new DNS servers in General Topics

Global Protect not using new DNS servers

JohPalmer — Wed, 14 Mar 2018 19:26:02 GMT

Greetings!

We recently migrated to a new DNS server in our internal network; With this, we also updated the configurations on the firewall configuration, and on the GP setup to reflect this. We have the PAN giving IP's to GP clients directly (not relayed), and whenever someone connects to the FW, they are getting the old DNS servers, not the new ones.

I've googled, and gone through the configuration; the only thing left with the old DNS server is an address book entry (that can be removed). I also just tested uninstalling and reinstalling the GP client, and still getting the old server IP's.

Anyone seen this before? is there a config file, registry setting that is making the old IP's sticky?

Re: Global Protect not using new DNS servers

OtakarKlier — Wed, 14 Mar 2018 21:41:48 GMT

Hello,

Check the DHCP server config since the PAN is handing out the info:

Network tab -> DHCP > DHCP Server

Also check the PAN config if you done have these defined:

Device tab -> Setup -> Services:

Hope that helps.

Re: Global Protect not using new DNS servers

JohPalmer — Wed, 14 Mar 2018 21:47:32 GMT

We don't have DHCP setup for this, we have the IP Pools set up in the GP configuration; the only item we have for DHCP is our Guest VLAN, and that's on an unrelated subnet, and pointed out to public OpenDNS IP addresses.

I've triple-checked the config, the IP of the old DNS server is only present in a legacy address book entry, but it's not tied to anything.

Re: Global Protect not using new DNS servers

OtakarKlier — Wed, 14 Mar 2018 21:58:56 GMT

Hello,

I take it you also looked at the Network Services tab?

Network tab ->GlobalProtect ->Gateways -> Gateway Configuration -> Agent -> Network Services

Regards,

Re: Global Protect not using new DNS servers

JohPalmer — Wed, 14 Mar 2018 22:02:54 GMT

That, and the device tab were the places we updated over this weekend; The old DNS server IP's are completely removed from the configuration; doing a 'show | match w.x.y.z' for the old DNS IP only shows up as an address book object not linked to anything.

Re: Global Protect not using new DNS servers

OtakarKlier — Wed, 14 Mar 2018 22:10:58 GMT

Hello,

What happens if you do a ipconfig release renew on the client when connected via VPN? I'm wondering if the clients are somehow retaining the old settings?

Also you can do a global search via the gui for the IP:

Just thinking out loud.

Re: Global Protect not using new DNS servers

JohPalmer — Thu, 15 Mar 2018 15:44:27 GMT

if I do an ipconfig /release while connected, GlobalProtect disconnects. when it reconnects, it still has the old settings.

I did do a search in the GUI, and the results were the same as doing a 'show | match ip.add.re.ss' for the old DNS server IP - only match was an address book object that is not used in any network/GP configuration.

Re: Global Protect not using new DNS servers

OtakarKlier — Thu, 15 Mar 2018 17:14:54 GMT

Hmm, that is a weird one for sure. Perhaps a support ticket is in order?

Re: Global Protect not using new DNS servers

JohPalmer — Thu, 15 Mar 2018 17:45:46 GMT

I actually did, and just got off the phone with a TAC engineer. No solution yet, but he's going to put it in their lab and test/confirm on it. they are suggesting a commit full may reset it, because it does look to be being pushed by the FW, and that may clear out anything old that's hanging up.

When we do get a fix on this, I'll post it up for others that have this same issue. 🙂

Re: Global Protect not using new DNS servers

SThatipelly — Thu, 15 Mar 2018 18:32:41 GMT

Did you happen to check "GP App Config refresh interval" and "Update DNS Settings at Connect(Windows Only)" under Portal-Agent-App tab?

What are your current settings for these options?

Re: Global Protect not using new DNS servers

JohPalmer — Thu, 15 Mar 2018 22:30:38 GMT

Just looked at those - the GP App config refresh is set for 24 hours - the DNS change was done this past sunday, over 96 hours ago.

The Update DNS Settings at connect had orginally be set to no, but I did change it 2 days ago before I posted this topic up

(appreciate the suggestions on this! 🙂 )

Re: Global Protect not using new DNS servers

Mick_Ball — Fri, 16 Mar 2018 15:21:54 GMT

what does it say for DNS when you CLI...

show global-protect-gateway gateway name <your gateway name>

also.. i just modified my secondary DNS and user updated on first connection.

apart from the obvious... are your settings similar to mine...