Global Protect not using new DNS servers

Reply
L2 Linker

Global Protect not using new DNS servers

Greetings!

We recently migrated to a new DNS server in our internal network; With this, we also updated the configurations on the firewall configuration, and on the GP setup to reflect this. We have the PAN giving IP's to GP clients directly (not relayed), and whenever someone connects to the FW, they are getting the old DNS servers, not the new ones.

 

I've googled, and gone through the configuration; the only thing left with the old DNS server is an address book entry (that can be removed). I also just tested uninstalling and reinstalling the GP client, and still getting the old server IP's.

 

Anyone seen this before? is there a config file, registry setting that is making the old IP's sticky?

L7 Applicator

Re: Global Protect not using new DNS servers

Hello,

Check the DHCP server config since the PAN is handing out the info:

 

Network tab -> DHCP > DHCP Server

image.png

 

Also check the PAN config if you done have these defined:

 

Device tab -> Setup -> Services:

 

image.png

 

Hope that helps.

L2 Linker

Re: Global Protect not using new DNS servers

We don't have DHCP setup for this, we have the IP Pools set up in the GP configuration;  the only item we have for DHCP is our Guest VLAN, and that's on an unrelated subnet, and pointed out to public OpenDNS IP addresses.

I've triple-checked the config, the IP of the old DNS server is only present in a legacy address book entry, but it's not tied to anything.

L7 Applicator

Re: Global Protect not using new DNS servers

Hello,

I take it you also looked at the Network Services tab?

 

Network tab ->GlobalProtect ->Gateways -> Gateway Configuration -> Agent -> Network Services

 

image.png

 

Regards,

L2 Linker

Re: Global Protect not using new DNS servers

That, and the device tab were the places we updated over this weekend;  The old DNS server IP's are completely removed from the configuration; doing a 'show | match w.x.y.z' for the old DNS IP only shows up as an address book object not linked to anything.

L7 Applicator

Re: Global Protect not using new DNS servers

Hello,

What happens if you do a ipconfig release renew on the client when connected via VPN? I'm wondering if the clients are somehow retaining the old settings?

 

Also you can do a global search via the gui for the IP:

image.png

 

 

Just thinking out loud.

L2 Linker

Re: Global Protect not using new DNS servers

if I do an ipconfig /release while connected, GlobalProtect disconnects.  when it reconnects, it still has the old settings.

I did do a search in the GUI, and the results were the same as doing a 'show | match ip.add.re.ss' for the old DNS server IP - only match was an address book object that is not used in any network/GP configuration.

L7 Applicator

Re: Global Protect not using new DNS servers

Hmm, that is a weird one for sure. Perhaps a support ticket is in order?

Highlighted
L2 Linker

Re: Global Protect not using new DNS servers

I actually did, and just got off the phone with a TAC engineer.  No solution yet, but he's going to put it in their lab and test/confirm on it.  they are suggesting a commit full may reset it, because it does look to be being pushed by the FW, and that may clear out anything old that's hanging up.  

When we do get a fix on this, I'll post it up for others that have this same issue. :)

Tags (1)
L4 Transporter

Re: Global Protect not using new DNS servers

Did you happen to check "GP App Config refresh interval" and "Update DNS Settings at Connect(Windows Only)" under Portal-Agent-App tab?

 

What are your current settings for these options?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!