Global Protect not using new DNS servers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect not using new DNS servers

L2 Linker

Greetings!

We recently migrated to a new DNS server in our internal network; With this, we also updated the configurations on the firewall configuration, and on the GP setup to reflect this. We have the PAN giving IP's to GP clients directly (not relayed), and whenever someone connects to the FW, they are getting the old DNS servers, not the new ones.

 

I've googled, and gone through the configuration; the only thing left with the old DNS server is an address book entry (that can be removed). I also just tested uninstalling and reinstalling the GP client, and still getting the old server IP's.

 

Anyone seen this before? is there a config file, registry setting that is making the old IP's sticky?

11 REPLIES 11

Cyber Elite
Cyber Elite

Hello,

Check the DHCP server config since the PAN is handing out the info:

 

Network tab -> DHCP > DHCP Server

image.png

 

Also check the PAN config if you done have these defined:

 

Device tab -> Setup -> Services:

 

image.png

 

Hope that helps.

We don't have DHCP setup for this, we have the IP Pools set up in the GP configuration;  the only item we have for DHCP is our Guest VLAN, and that's on an unrelated subnet, and pointed out to public OpenDNS IP addresses.

I've triple-checked the config, the IP of the old DNS server is only present in a legacy address book entry, but it's not tied to anything.

Hello,

I take it you also looked at the Network Services tab?

 

Network tab ->GlobalProtect ->Gateways -> Gateway Configuration -> Agent -> Network Services

 

image.png

 

Regards,

That, and the device tab were the places we updated over this weekend;  The old DNS server IP's are completely removed from the configuration; doing a 'show | match w.x.y.z' for the old DNS IP only shows up as an address book object not linked to anything.

Hello,

What happens if you do a ipconfig release renew on the client when connected via VPN? I'm wondering if the clients are somehow retaining the old settings?

 

Also you can do a global search via the gui for the IP:

image.png

 

 

Just thinking out loud.

if I do an ipconfig /release while connected, GlobalProtect disconnects.  when it reconnects, it still has the old settings.

I did do a search in the GUI, and the results were the same as doing a 'show | match ip.add.re.ss' for the old DNS server IP - only match was an address book object that is not used in any network/GP configuration.

Hmm, that is a weird one for sure. Perhaps a support ticket is in order?

I actually did, and just got off the phone with a TAC engineer.  No solution yet, but he's going to put it in their lab and test/confirm on it.  they are suggesting a commit full may reset it, because it does look to be being pushed by the FW, and that may clear out anything old that's hanging up.  

When we do get a fix on this, I'll post it up for others that have this same issue. 🙂

L4 Transporter

Did you happen to check "GP App Config refresh interval" and "Update DNS Settings at Connect(Windows Only)" under Portal-Agent-App tab?

 

What are your current settings for these options?

Just looked at those - the GP App config refresh is set for 24 hours - the DNS change was done this past sunday, over 96 hours ago.

The Update DNS Settings at connect had orginally be set to no, but I did change it 2 days ago before I posted this topic up

(appreciate the suggestions on this! 🙂 )

what does it say for DNS when you CLI...

 

show global-protect-gateway gateway name <your gateway name>

 

also.. i just modified my secondary DNS and user updated on first connection.

 

apart from the obvious... are your settings similar to mine...

 

padns.png

 

 

  • 5669 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!