I am facing some issue with DNS resolution. below is the scenerio.
I have Global Protect VPN setup.
after connecting global protect, i will take RDP of some internal machine.
RDP will take by host name example:- system1.abc.com resolved by IP address 192.168.1.15
system2.abc.com resolved by IP address 192.168.1.16
system3.abc.com resolved by IP address 192.168.1.16
Client connect the global protect and will take RDP system1.abc.com the query will go first to the load balancer(192.168.1.100) and load balancer forward this query either DNS server1 and DNS server2 then i will get reply accordingly.
some time what happen when i connect the global protect i am unable to take RDP by host name that time i checked by nslookup command the DNS server not able to resolved the query, for some time i am getting time out error.that time i checked i can take RDP by IP address. this issue is occur intermittently some time i can take RDP by host name and some time not.
- In the global protect gateway configuration i given the load balancer IP address (192.168.1.100). in this setting i put direct DNS server IP (192.168.1.10 and 192.168.1.20) but the same issue happening.
- No DNS proxy.
- In the split tunnel i given all IP address for load balancer and both DNS server.
- When i took the packet capture and run the global counter i can found the Paloalto drop some packets.
below is the counter detail:-
- when i checked in the capture and found some time i am not getting the answer of the DNS query and Paloalto to drop the packet.
- I removed the antispyware profile from the security policy. but still, i am facing the same issue.
- PAN-OS version - 9.1.5
- I checked the RDP is working fine with a hostname without connecting global protect.
- GP version - 5.1.3
Can anyone help me with this?
the first test i would do is remove DNS server1 form the pool. make a few rdp connections to different hosts to check fully and then do the same with DNS server2.
does your LB NAT to the DNS servers, you may need a route back to the GP subnet.
I understand that you can connect OK without GP but thay may be coming from a different subnet....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!