This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

DNS server can't access to management interface

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS server can't access to management interface

IsaacCasal
L0 Member

‎05-04-2022 04:44 AM

Hello,

 

I don't know if this is a normal behavior or not. We have 3 DNS servers. 
DNS_A
DNS_B
DNS_C

We are not able to ping or ssh/http to the management interface from the DNS server, if this DNS server is configured as DNS server in the firewall.

When we configure DNS_A and DNS_B as a primary and secondary DNS servers in the firewall, we are not able to ping or access from those DNS servers to the mgmt interface. But DNS_C is able to ping with no problems.

When we configure DNS_A and DNS_C, they are not able to ping, but DNS_B can do it.

 

Why is it? I did a tcpdump and see that all pings arrived to the firewall but there are only replies from fw to the server that is not configured as DNS.

 

Thanks!

0 Likes Likes
4 REPLIES 4

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎05-04-2022 06:24 AM

Hey @IsaacCasal ,

Are you using default service route for DNS traffic through the management interface, or you are using different service route - either for dns service, or specific destination?

 

 

0 Likes Likes

IsaacCasal
L0 Member
In response to aleksandar.astardzhiev

‎05-04-2022 06:52 AM

Hi! Thanks for the reply. The DNS traffic has a custom configuration in service routing, for a specific interface, not the default (management). But if I am not wrong, this is referred to a specific port, in this case service: "dns", so it has to be not only for layer 3 routing, but also port 53 traffic. So it will not affect the ping or ssh, and so on. Am I wrong?

 

Thanks!

0 Likes Likes

Stephen_Muma
L0 Member

‎12-13-2023 04:14 PM

Was this ever resolved? I am facing the same issue after changing where the GW resided on a switch, but now the GW is on the PA itself and can ping everything except for one of the configured DNS servers

0 Likes Likes

Adrian_Jensen
L6 Presenter
In response to Stephen_Muma

‎12-18-2023 11:40 AM - edited ‎12-18-2023 11:43 AM

The OP and you have not provided a lot of debugging information, so its a bit difficult to guess, but there are a couple important caveats to check for:

  1. The management interface IP should never exist on the same subnet as a regular interface on the PA. Edit: Actually.. I think I was thinking about the HA interface IP here... management IP might be OK, would have to re-read documentation.
  2. If you have previous made service route configuration changes, look to see if a management destination route has been added (Setup->Services->Service Route Configuration->Destination), you may be forcing traffic to certain destination out other interfaces.
  3. If a separate device is to contact the management interface, verify that the source is allowed as a permitted address if an ACL has been added (Setup->Interfaces->Management).
0 Likes Likes
  • 3089 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks