- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-14-2018 12:26 PM
Greetings!
We recently migrated to a new DNS server in our internal network; With this, we also updated the configurations on the firewall configuration, and on the GP setup to reflect this. We have the PAN giving IP's to GP clients directly (not relayed), and whenever someone connects to the FW, they are getting the old DNS servers, not the new ones.
I've googled, and gone through the configuration; the only thing left with the old DNS server is an address book entry (that can be removed). I also just tested uninstalling and reinstalling the GP client, and still getting the old server IP's.
Anyone seen this before? is there a config file, registry setting that is making the old IP's sticky?
03-14-2018 02:41 PM
Hello,
Check the DHCP server config since the PAN is handing out the info:
Network tab -> DHCP > DHCP Server
Also check the PAN config if you done have these defined:
Device tab -> Setup -> Services:
Hope that helps.
03-14-2018 02:47 PM
We don't have DHCP setup for this, we have the IP Pools set up in the GP configuration; the only item we have for DHCP is our Guest VLAN, and that's on an unrelated subnet, and pointed out to public OpenDNS IP addresses.
I've triple-checked the config, the IP of the old DNS server is only present in a legacy address book entry, but it's not tied to anything.
03-14-2018 02:58 PM
Hello,
I take it you also looked at the Network Services tab?
Network tab ->GlobalProtect ->Gateways -> Gateway Configuration -> Agent -> Network Services
Regards,
03-14-2018 03:02 PM
That, and the device tab were the places we updated over this weekend; The old DNS server IP's are completely removed from the configuration; doing a 'show | match w.x.y.z' for the old DNS IP only shows up as an address book object not linked to anything.
03-14-2018 03:10 PM
Hello,
What happens if you do a ipconfig release renew on the client when connected via VPN? I'm wondering if the clients are somehow retaining the old settings?
Also you can do a global search via the gui for the IP:
Just thinking out loud.
03-15-2018 08:44 AM
if I do an ipconfig /release while connected, GlobalProtect disconnects. when it reconnects, it still has the old settings.
I did do a search in the GUI, and the results were the same as doing a 'show | match ip.add.re.ss' for the old DNS server IP - only match was an address book object that is not used in any network/GP configuration.
03-15-2018 10:14 AM
Hmm, that is a weird one for sure. Perhaps a support ticket is in order?
03-15-2018 10:45 AM
I actually did, and just got off the phone with a TAC engineer. No solution yet, but he's going to put it in their lab and test/confirm on it. they are suggesting a commit full may reset it, because it does look to be being pushed by the FW, and that may clear out anything old that's hanging up.
When we do get a fix on this, I'll post it up for others that have this same issue. 🙂
03-15-2018 11:32 AM
Did you happen to check "GP App Config refresh interval" and "Update DNS Settings at Connect(Windows Only)" under Portal-Agent-App tab?
What are your current settings for these options?
03-15-2018 03:30 PM
Just looked at those - the GP App config refresh is set for 24 hours - the DNS change was done this past sunday, over 96 hours ago.
The Update DNS Settings at connect had orginally be set to no, but I did change it 2 days ago before I posted this topic up
(appreciate the suggestions on this! 🙂 )
03-16-2018 08:21 AM
what does it say for DNS when you CLI...
show global-protect-gateway gateway name <your gateway name>
also.. i just modified my secondary DNS and user updated on first connection.
apart from the obvious... are your settings similar to mine...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!