DNS server can't access to management interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS server can't access to management interface

L0 Member

Hello,

 

I don't know if this is a normal behavior or not. We have 3 DNS servers. 
DNS_A
DNS_B
DNS_C

We are not able to ping or ssh/http to the management interface from the DNS server, if this DNS server is configured as DNS server in the firewall.

When we configure DNS_A and DNS_B as a primary and secondary DNS servers in the firewall, we are not able to ping or access from those DNS servers to the mgmt interface. But DNS_C is able to ping with no problems.

When we configure DNS_A and DNS_C, they are not able to ping, but DNS_B can do it.

 

Why is it? I did a tcpdump and see that all pings arrived to the firewall but there are only replies from fw to the server that is not configured as DNS.

 

Thanks!

4 REPLIES 4

Hey @IsaacCasal ,

Are you using default service route for DNS traffic through the management interface, or you are using different service route - either for dns service, or specific destination?

 

 

Hi! Thanks for the reply. The DNS traffic has a custom configuration in service routing, for a specific interface, not the default (management). But if I am not wrong, this is referred to a specific port, in this case service: "dns", so it has to be not only for layer 3 routing, but also port 53 traffic. So it will not affect the ping or ssh, and so on. Am I wrong?

 

Thanks!

L0 Member

Was this ever resolved? I am facing the same issue after changing where the GW resided on a switch, but now the GW is on the PA itself and can ping everything except for one of the configured DNS servers

The OP and you have not provided a lot of debugging information, so its a bit difficult to guess, but there are a couple important caveats to check for:

  1. The management interface IP should never exist on the same subnet as a regular interface on the PA. Edit: Actually.. I think I was thinking about the HA interface IP here... management IP might be OK, would have to re-read documentation.
  2. If you have previous made service route configuration changes, look to see if a management destination route has been added (Setup->Services->Service Route Configuration->Destination), you may be forcing traffic to certain destination out other interfaces.
  3. If a separate device is to contact the management interface, verify that the source is allowed as a permitted address if an ACL has been added (Setup->Interfaces->Management).
  • 3226 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!