Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

FQDN jobs FAILED

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

FQDN jobs FAILED

Hi,

 

We have added several FQDN objects and its not working. If we run

 

update.symantec.com (Objectname update.symantec.com):

Not resolved

us.archive.ubuntu.com (Objectname us.archive.ubuntu.com):

Not used

xxxxxxx (Objectname HOST_xxxx13):

Not resolved

 

2017/04/25 13:35:54 29960 FqdnRefresh FIN FAIL 13:36:04
2017/04/25 13:31:44 29959 FqdnRefresh FIN FAIL 13:31:53
2017/04/25 13:30:32 29958 WildFire FIN OK 13:30:34
2017/04/25 13:30:25 29957 Install FIN OK 13:30:32
2017/04/25 13:30:23 29956 Downld FIN OK 13:30:25
2017/04/25 13:24:28 29954 FqdnRefresh FIN FAIL 13:24:39
2017/04/25 13:15:33 29953 WildFire FIN OK 13:15:37
2017/04/25 13:15:25 29952 Install FIN OK 13:15:33

 

Why PA is getting errors in FQDN jobs?? we dont see any details or info. We can reach DNS servers and everything.

 

 

show jobs id 29959

Enqueued ID Type Status Result Completed

2017/04/25 13:31:44 29959 FqdnRefresh FIN FAIL 13:31:53
Warnings:
Details:

19 REPLIES 19

Cyber Elite
Cyber Elite

@Es_tecsupportsecurity,

What does your output look like if you run request system fqdn refresh force yes in CLI? Generally this would mean that you can't actually resolve the domain on your local DNS server if that is what you are using as the Palo Alto's DNS settings. On whatever DNS server(s) you are using on the Palo Alto just verify that they themselves can actually resolve those domain names.

i tried with force but error is the same. If i ping this domain from PA is resolving the IP correctly. Anyway i dont know if this job should fail although DNS cant resolve this domain.

request system fqdn refresh

request system fqdn show

 

What can you see? Can you please tell us your PAN-OS as well as hardware platform

I tried but job is failing

 


Enqueued ID Type Status Result Completed
--------------------------------------------------------------------------
2017/04/25 15:24:35 29993 FqdnRefresh FIN FAIL 15:24:46
2017/04/25 15:20:27 29992 FqdnRefresh FIN FAIL 15:20:40

 

and not resolving any domain in "request system fqdn show"

 

but if i run a ping from PA the domain is solved

 

captive.apple.com (Objectname captive_apple):

Not resolved

 

---

ping host captive.apple.com
PING captive.g.aaplimg.com (17.253.35.208) 56(84) bytes of data.

 

 

 

 


@Es_tecsupportsecurity wrote:

I tried but job is failing

 


Enqueued ID Type Status Result Completed
--------------------------------------------------------------------------
2017/04/25 15:24:35 29993 FqdnRefresh FIN FAIL 15:24:46
2017/04/25 15:20:27 29992 FqdnRefresh FIN FAIL 15:20:40

 

and not resolving any domain in "request system fqdn show"

 

but if i run a ping from PA the domain is solved

 

captive.apple.com (Objectname captive_apple):

Not resolved

 

---

ping host captive.apple.com
PING captive.g.aaplimg.com (17.253.35.208) 56(84) bytes of data.

 

 

 

 


Your PAN-OS and hardware platform, please;)

PA3050 PanOs 7.0.6

Thanks. Need to check a release notes but on the meantime may I ask you if you did try to reset a management server? 

 

> debug software restart process management-server

I just restart mgmt server and the result is the same, i see the FQDN refresh jobs FAILED.

2017/04/25 16:15:00 2 FqdnRefresh FIN FAIL 16:15:17
2017/04/25 16:13:48 1 FqdnRefresh FIN FAIL 16:14:01

 

 

 

running "request system fqdn show", i see PA solve only this host connectivitycheck.android.com

FQDN Table : Last Request time Tue Apr 25 16:15:00 2017
--------------------------------------------------------------------------------
IP Address Remaining TTL Secs Since Refreshed
--------------------------------------------------------------------------------
VSYS : vsys1 (using mgmt-obj dnsproxy object)

 

captive.apple.com (Objectname captive_apple):

Not resolved

connectivitycheck.android.com (Objectname captive_android):

209.85.144.101 -3013295 3013353

 

@Es_tecsupportsecurity,

That's really interesting. I don't recall anything in later 7.0.* release notes about FQDN problems, but I would update to 7.0.15 just to deal with the recent security issues and see if the issue resolves itself if you can afford the downtime if you don't have an HA pair.

I would need a strong explanation to upgrade these FWs, not upgrading just in case. Anyway im going to replicate this issue in my lab...

Nothing in the release notes. Just a guess really but can you try to increase update interval to 10 minutes and check if auto refresh still fails. What is happening when you type test FQDN from the GUI:

 

 fqdn.PNG

In version 7.0.6 you cant see the resolve option in WebUI, you have to use CLI.

i tried to configure 10 minutes for refresh but the result is the same 😞

 

 

So when you pinging the FQDNs from the CLI all looks good, it just an auto-refresh doesn't work properly... Not sure if l have missed something simple. Are you able to report this to TAC?

Exactly

 

admin@LukeSkywalker01(active)> ping host

i just check it in version 7.1 is working fine but not in 7.0.6 😞

  • 7336 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!