04-25-2017 04:41 AM
Hi,
We have added several FQDN objects and its not working. If we run
update.symantec.com (Objectname update.symantec.com):
Not resolved
us.archive.ubuntu.com (Objectname us.archive.ubuntu.com):
Not used
xxxxxxx (Objectname HOST_xxxx13):
Not resolved
2017/04/25 13:35:54 29960 FqdnRefresh FIN FAIL 13:36:04
2017/04/25 13:31:44 29959 FqdnRefresh FIN FAIL 13:31:53
2017/04/25 13:30:32 29958 WildFire FIN OK 13:30:34
2017/04/25 13:30:25 29957 Install FIN OK 13:30:32
2017/04/25 13:30:23 29956 Downld FIN OK 13:30:25
2017/04/25 13:24:28 29954 FqdnRefresh FIN FAIL 13:24:39
2017/04/25 13:15:33 29953 WildFire FIN OK 13:15:37
2017/04/25 13:15:25 29952 Install FIN OK 13:15:33
Why PA is getting errors in FQDN jobs?? we dont see any details or info. We can reach DNS servers and everything.
show jobs id 29959
Enqueued ID Type Status Result Completed
2017/04/25 13:31:44 29959 FqdnRefresh FIN FAIL 13:31:53
Warnings:
Details:
04-25-2017 05:40 AM
What does your output look like if you run request system fqdn refresh force yes in CLI? Generally this would mean that you can't actually resolve the domain on your local DNS server if that is what you are using as the Palo Alto's DNS settings. On whatever DNS server(s) you are using on the Palo Alto just verify that they themselves can actually resolve those domain names.
04-25-2017 06:12 AM
i tried with force but error is the same. If i ping this domain from PA is resolving the IP correctly. Anyway i dont know if this job should fail although DNS cant resolve this domain.
04-25-2017 06:23 AM
request system fqdn refresh
request system fqdn show
What can you see? Can you please tell us your PAN-OS as well as hardware platform
04-25-2017 06:26 AM
I tried but job is failing
Enqueued ID Type Status Result Completed
--------------------------------------------------------------------------
2017/04/25 15:24:35 29993 FqdnRefresh FIN FAIL 15:24:46
2017/04/25 15:20:27 29992 FqdnRefresh FIN FAIL 15:20:40
and not resolving any domain in "request system fqdn show"
but if i run a ping from PA the domain is solved
captive.apple.com (Objectname captive_apple):
Not resolved
---
ping host captive.apple.com
PING captive.g.aaplimg.com (17.253.35.208) 56(84) bytes of data.
04-25-2017 06:28 AM
@Es_tecsupportsecurity wrote:I tried but job is failing
Enqueued ID Type Status Result Completed
--------------------------------------------------------------------------
2017/04/25 15:24:35 29993 FqdnRefresh FIN FAIL 15:24:46
2017/04/25 15:20:27 29992 FqdnRefresh FIN FAIL 15:20:40
and not resolving any domain in "request system fqdn show"
but if i run a ping from PA the domain is solved
captive.apple.com (Objectname captive_apple):
Not resolved
---
ping host captive.apple.com
PING captive.g.aaplimg.com (17.253.35.208) 56(84) bytes of data.
Your PAN-OS and hardware platform, please;)
04-25-2017 06:50 AM
Thanks. Need to check a release notes but on the meantime may I ask you if you did try to reset a management server?
> debug software restart process management-server
04-25-2017 07:20 AM
I just restart mgmt server and the result is the same, i see the FQDN refresh jobs FAILED.
2017/04/25 16:15:00 2 FqdnRefresh FIN FAIL 16:15:17
2017/04/25 16:13:48 1 FqdnRefresh FIN FAIL 16:14:01
running "request system fqdn show", i see PA solve only this host connectivitycheck.android.com
FQDN Table : Last Request time Tue Apr 25 16:15:00 2017
--------------------------------------------------------------------------------
IP Address Remaining TTL Secs Since Refreshed
--------------------------------------------------------------------------------
VSYS : vsys1 (using mgmt-obj dnsproxy object)
captive.apple.com (Objectname captive_apple):
Not resolved
connectivitycheck.android.com (Objectname captive_android):
209.85.144.101 -3013295 3013353
04-25-2017 07:47 AM
That's really interesting. I don't recall anything in later 7.0.* release notes about FQDN problems, but I would update to 7.0.15 just to deal with the recent security issues and see if the issue resolves itself if you can afford the downtime if you don't have an HA pair.
04-25-2017 07:56 AM
I would need a strong explanation to upgrade these FWs, not upgrading just in case. Anyway im going to replicate this issue in my lab...
04-25-2017 08:00 AM - edited 04-25-2017 08:01 AM
Nothing in the release notes. Just a guess really but can you try to increase update interval to 10 minutes and check if auto refresh still fails. What is happening when you type test FQDN from the GUI:
04-25-2017 08:33 AM
In version 7.0.6 you cant see the resolve option in WebUI, you have to use CLI.
i tried to configure 10 minutes for refresh but the result is the same 😞
04-25-2017 08:36 AM
So when you pinging the FQDNs from the CLI all looks good, it just an auto-refresh doesn't work properly... Not sure if l have missed something simple. Are you able to report this to TAC?
04-25-2017 08:40 AM - edited 04-27-2017 04:03 AM
Exactly
admin@LukeSkywalker01(active)> ping host
i just check it in version 7.1 is working fine but not in 7.0.6 😞
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
