This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DNS issues

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS issues

VictoriaMyatt1
L0 Member

‎08-30-2019 08:50 AM

Hi All, 

 

hoping someone could possibly shed some light on what I maybe missing in the configuration...Im going out of my mind looking at this as I just cant see it, ill try to keep it short....

 

I recently replaced our offsite meeting room location Juniper SRX with a PA-220:

  • PPPoe Setup with VDSL modem
  • VPN tunnel back to main office 
  • Meraki AP to provide CORP and Guest wifi (both networks broadcast from same AP) 
  • Internet access pushed back to main office firewall and onto proxy server for filtering (will be removing proxy servers but not yet)
  • DHCP configured on Interface for CORP Wifi

The above setup worked without issues on the SRX - since moving across to the PA-220 I am having issues with DNS resolution:

 

  • Able to perform NSLOOKUP to domain controller at main site and resolve
  • unable to resolve any hostname from CORP Wifi
  • Tested connecting directly to the firewall via cable and setting up test network - same issues 

I am aware that a whole number of things could cause these issues so ill list what we have done/ tested/ setup

 

  • x2 layer 3 subinterfaces one for CORP wifi and one for GUEST wifi - both tagged but no VLAN's configured on the PA-220
  • layer 3 sub interface for CORP wifi has DHCP configured with internal DNS servers - policy created to push internet traffic from this zone across the VPN tunnel to the Proxy server for internet access - VPN tunnel is up and no issues with PPPoe network access
  • Layer 3 Sub interface for GUEST wifi goes straight out of the firewall for internet access 
  • NAT rule created for GUEST wifi - this wifi access works without issues, external DNS resolutoin with no issues
  • Security policies created for DC Comms including DNS access - I can see traffic coming from the PA-220 and hitting the main office firewall as allowed when running nslookups and traceroutes
  • Clients can obtain IP addresses from the DHCP set up on CORP Wifi and have the correct internal DNS settings
  • When attempting to access any internal resource by DNS name it immediately fails

The more i look at it the more i know ive probably missed something but cant put my finger on what....

 

Any one have any ideas?

 

Many thanks 🙂

 

0 Likes Likes
2 REPLIES 2

OtakarKlier
Cyber Elite
Cyber Elite

‎08-30-2019 09:44 AM

Hello,

Do you have logging enabled on the default policies, Inter/Intra zone? If not enable then and check the logs for dns traffic. If your WiFi is in a different zone than you VPN tunnel (it should be), check the logs to see if its getting blocked somewhere.

 

Regards,

0 Likes Likes

fatboy1607
L4 Transporter
In response to OtakarKlier

‎09-04-2019 04:32 AM

run wireshark on PC check for DNS packet

 

enabled packet capture on firewall to check DNS traffic.

 

As mentioned check security policy between different zones.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |
0 Likes Likes
  • 2931 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks