DNS Resolution with global protect.
cancel
Showing results for 
Search instead for 
Did you mean: 

DNS Resolution with global protect.

L4 Transporter

Dear All,

I am facing some issue with DNS resolution. below is the scenerio.

 

Jafar_Hussain_1-1617959764286.png

 

 

I have Global Protect VPN setup.
after connecting global protect, i will take RDP of some internal machine.
RDP will take by host name example:- system1.abc.com resolved by IP address 192.168.1.15
system2.abc.com resolved by IP address 192.168.1.16
system3.abc.com resolved by IP address 192.168.1.16

 

working scenerio:-

Client connect the global protect and will take RDP system1.abc.com the query will go first to the load balancer(192.168.1.100) and load balancer forward this query either DNS server1 and DNS server2 then i will get reply accordingly.

 

Issue:-

some time what happen when i connect the global protect i am unable to take RDP by host name that time i checked by nslookup command the DNS server not able to resolved the query, for some time i am getting time out error.that time i checked i can take RDP by IP address. this issue is occur intermittently some time i can take RDP by host name and some time not.

 

important point:-

- In the global protect gateway configuration i given the load balancer IP address (192.168.1.100). in this setting i put direct DNS server IP (192.168.1.10 and 192.168.1.20) but the same issue happening.

 

Jafar_Hussain_0-1617959726226.png

 


- No DNS proxy.
- In the split tunnel i given all IP address for load balancer and both DNS server.

 

Troubleshooting:-

- When i took the packet capture and run the global counter i can found the Paloalto drop some packets.
below is the counter detail:-

 

Jafar_Hussain_2-1617959892551.png

 

- when i checked in the capture and found some time i am not getting the answer of the DNS query and Paloalto to drop the packet.
- I removed the antispyware profile from the security policy. but still, i am facing the same issue.
- PAN-OS version - 9.1.5
- I checked the RDP is working fine with a hostname without connecting global protect.
- GP version - 5.1.3

 

Can anyone help me with this?

7 REPLIES 7

L7 Applicator

the first test i would do is remove DNS server1 form the pool.  make a few rdp connections to different hosts to check fully and then do the same with DNS server2.

 

does your LB NAT to the DNS servers, you may need a route back to the GP subnet.

 

I understand that you can connect OK without GP but thay may be coming from a different subnet....

@MickBall 

 

he first test i would do is remove DNS server1 form the pool. make a few rdp connections to different hosts to check fully and then do the same with DNS server2. - Done but same issue.

 

does your LB NAT to the DNS servers, you may need a route back to the GP subnet.-  Yes

Hello,

So I am a huge proponent of the K.I.S.S principle. What are you load balancing DNS traffic? Have you tried to remove the Load Balancer from the equation? I have seen a lot of issues in the past with load balancers and asymmetric traffic return, etc.

 

Regards,

@OtakarKlier 

in the global protect gateway setting i directly mention the DNS server instead of the load balancer. but no luck.

the most important thing is that everything working fine without GP.

 

do you have persistence set on the LB, have you tried source address for this setting. 

 

Edit....

cancel that as works without GP.

 

i am going to see if i get the same issue via LB.

....

@MickBall 

have you tried source address for this setting.- You mean source address in security policy.? sorry i didn't get you

No. I am talking about persistence on the LB, you may know it as sticky Sessions as i don't know what you are using as LB’s. But cancel this suggestion as it works fine you say without GP.

 

can you confirm that when you had only server1 in the pool, all was ok, and then when you had only server2 in the pool that was also ok. Then, when you add both servers back in to 5he pool you see the same issue....?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!