We recently migrated to a new DNS server in our internal network; With this, we also updated the configurations on the firewall configuration, and on the GP setup to reflect this. We have the PAN giving IP's to GP clients directly (not relayed), and whenever someone connects to the FW, they are getting the old DNS servers, not the new ones.
I've googled, and gone through the configuration; the only thing left with the old DNS server is an address book entry (that can be removed). I also just tested uninstalling and reinstalling the GP client, and still getting the old server IP's.
Anyone seen this before? is there a config file, registry setting that is making the old IP's sticky?
Check the DHCP server config since the PAN is handing out the info:
Network tab -> DHCP > DHCP Server
Also check the PAN config if you done have these defined:
Device tab -> Setup -> Services:
Hope that helps.
We don't have DHCP setup for this, we have the IP Pools set up in the GP configuration; the only item we have for DHCP is our Guest VLAN, and that's on an unrelated subnet, and pointed out to public OpenDNS IP addresses.
I've triple-checked the config, the IP of the old DNS server is only present in a legacy address book entry, but it's not tied to anything.
I take it you also looked at the Network Services tab?
Network tab ->GlobalProtect ->Gateways -> Gateway Configuration -> Agent -> Network Services
That, and the device tab were the places we updated over this weekend; The old DNS server IP's are completely removed from the configuration; doing a 'show | match w.x.y.z' for the old DNS IP only shows up as an address book object not linked to anything.
What happens if you do a ipconfig release renew on the client when connected via VPN? I'm wondering if the clients are somehow retaining the old settings?
Also you can do a global search via the gui for the IP:
Just thinking out loud.
if I do an ipconfig /release while connected, GlobalProtect disconnects. when it reconnects, it still has the old settings.
I did do a search in the GUI, and the results were the same as doing a 'show | match ip.add.re.ss' for the old DNS server IP - only match was an address book object that is not used in any network/GP configuration.
I actually did, and just got off the phone with a TAC engineer. No solution yet, but he's going to put it in their lab and test/confirm on it. they are suggesting a commit full may reset it, because it does look to be being pushed by the FW, and that may clear out anything old that's hanging up.
When we do get a fix on this, I'll post it up for others that have this same issue. :)
Did you happen to check "GP App Config refresh interval" and "Update DNS Settings at Connect(Windows Only)" under Portal-Agent-App tab?
What are your current settings for these options?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!