DNS server failover not working for GP client

Jatin.Singh — Mon, 28 Oct 2019 23:06:33 GMT

We have a problem with the GP client and DNS. when the primary DNS server configured on the GP gateway is down, the GP client is unable to resolve FQDNs (over the split tunnel). Once I reversed the and made the secondary (active) DNS server the primary, the GP was able to resolve internal names.

The only global timer that I can see for DNS is under Device/Setup/Services and that is for FWDN Refresh. I currently have the two DNS servers configured by IP addresses.

The FQDN Refresh Time is set to the default of 1800 seconds. The PA is running v8.1.9. We only noticed this during tests as we are progressively upgrading the Domain Controllers and DNS servers.

I see in the on-line documentation that for VMs, we can set as low as 60 seconds (1 minute). It sounds like a shorted FQDN refresh would help this issue. Would lowering this value significantly impact overall performance? What should we do here to fix the issue

Re: DNS server failover not working for GP client

S.Cantwell — Tue, 29 Oct 2019 12:33:36 GMT

Hello there...

I have a simple question that I would like to better understand.

With the split tunnel enabled, can you confirm that both DNS server entries are seen by the client machine?

If this is true, then my question seems to be, what happens when the first goes down... (can you run a wireshark) to confirm that, indeed, the 2nd DNS server is being properly queried by the client.

I would think this would be a client issue primarily. Of course, if you can show that DNS requests are making it across the VPN to the FW and not being resolved, that is a different story (and one which I think you are attempting to believe the issue is, but let's try to confirm our theory)

topic Re: DNS server failover not working for GP client in General Topics

DNS server failover not working for GP client

Re: DNS server failover not working for GP client