topic Re: DNS Resolution with global protect. in General Topics

DNS Resolution with global protect.

Jafar_Hussain — Fri, 09 Apr 2021 09:19:27 GMT

Dear All,

I am facing some issue with DNS resolution. below is the scenerio.

I have Global Protect VPN setup.
after connecting global protect, i will take RDP of some internal machine.
RDP will take by host name example:- system1.abc.com resolved by IP address 192.168.1.15
system2.abc.com resolved by IP address 192.168.1.16
system3.abc.com resolved by IP address 192.168.1.16

working scenerio:-

Client connect the global protect and will take RDP system1.abc.com the query will go first to the load balancer(192.168.1.100) and load balancer forward this query either DNS server1 and DNS server2 then i will get reply accordingly.

Issue:-

some time what happen when i connect the global protect i am unable to take RDP by host name that time i checked by nslookup command the DNS server not able to resolved the query, for some time i am getting time out error.that time i checked i can take RDP by IP address. this issue is occur intermittently some time i can take RDP by host name and some time not.

important point:-

- In the global protect gateway configuration i given the load balancer IP address (192.168.1.100). in this setting i put direct DNS server IP (192.168.1.10 and 192.168.1.20) but the same issue happening.

- No DNS proxy.
- In the split tunnel i given all IP address for load balancer and both DNS server.

Troubleshooting:-

- When i took the packet capture and run the global counter i can found the Paloalto drop some packets.
below is the counter detail:-

- when i checked in the capture and found some time i am not getting the answer of the DNS query and Paloalto to drop the packet.
- I removed the antispyware profile from the security policy. but still, i am facing the same issue.
- PAN-OS version - 9.1.5
- I checked the RDP is working fine with a hostname without connecting global protect.
- GP version - 5.1.3

Can anyone help me with this?

Re: DNS Resolution with global protect.

Mick_Ball — Fri, 09 Apr 2021 09:50:07 GMT

the first test i would do is remove DNS server1 form the pool. make a few rdp connections to different hosts to check fully and then do the same with DNS server2.

does your LB NAT to the DNS servers, you may need a route back to the GP subnet.

I understand that you can connect OK without GP but thay may be coming from a different subnet....

Re: DNS Resolution with global protect.

Jafar_Hussain — Fri, 09 Apr 2021 11:25:53 GMT

@Mick_Ball

he first test i would do is remove DNS server1 form the pool. make a few rdp connections to different hosts to check fully and then do the same with DNS server2. - Done but same issue.

does your LB NAT to the DNS servers, you may need a route back to the GP subnet.- Yes

Re: DNS Resolution with global protect.

OtakarKlier — Fri, 09 Apr 2021 15:03:38 GMT

Hello,

So I am a huge proponent of the K.I.S.S principle. What are you load balancing DNS traffic? Have you tried to remove the Load Balancer from the equation? I have seen a lot of issues in the past with load balancers and asymmetric traffic return, etc.

Regards,

Re: DNS Resolution with global protect.

Jafar_Hussain — Fri, 09 Apr 2021 17:13:08 GMT

@OtakarKlier

in the global protect gateway setting i directly mention the DNS server instead of the load balancer. but no luck.

the most important thing is that everything working fine without GP.

Re: DNS Resolution with global protect.

Mick_Ball — Fri, 09 Apr 2021 18:23:24 GMT

do you have persistence set on the LB, have you tried source address for this setting.

Edit....

cancel that as works without GP.

i am going to see if i get the same issue via LB.

....

Re: DNS Resolution with global protect.

Jafar_Hussain — Fri, 09 Apr 2021 19:05:09 GMT

@Mick_Ball

have you tried source address for this setting.- You mean source address in security policy.? sorry i didn't get you

Re: DNS Resolution with global protect.

Mick_Ball — Fri, 09 Apr 2021 19:16:23 GMT

No. I am talking about persistence on the LB, you may know it as sticky Sessions as i don't know what you are using as LB’s. But cancel this suggestion as it works fine you say without GP.

can you confirm that when you had only server1 in the pool, all was ok, and then when you had only server2 in the pool that was also ok. Then, when you add both servers back in to 5he pool you see the same issue....?