Internal host detection not Working

welly_59 · ‎09-24-2018

I have an external Gateway and I wish to setup always-on except when on local LAN. As a test i am doing this on my own username but it seems to always want to connect to external GW regardless of my settings.

I have turned on Internal Host detection and this is returning "0" in the PanGPS logs so i would assume then it would realise i was internal and not try and connect me to external gateway?

Connection type is currently - prelogon always on

(T1848) 09/24/18 11:16:36:219 Debug(1712): host TEST
(T1848) 09/24/18 11:16:36:230 Debug(1729): DnsQuery returns 0
(T1848) 09/24/18 11:16:36:230 Debug(1744): Resolved X.X.X.X.IN-ADDR.ARPA for internal host detection with return value 0
(T1848) 09/24/18 11:16:36:230 Debug(1768): The host name is TEST.DOMAIN.local
(T1848) 09/24/18 11:16:36:230 Debug(4040): NetworkDiscoverThread: network type is external.
(T1848) 09/24/18 11:16:36:230 Debug(4109): NetworkDiscoverThread: Discover external network

BPry · ‎09-24-2018

@welly_59,

As I'm reading your logs it's actually not able to resolve the DNS name that you are using. Attempt to test this with just an IP, preferrably a load-balanced VIP if you can, and see if it works.

vsys_remo · ‎09-24-2018

@welly_59

Are you able to do a DNS (reverse)lookup for the IP that you configured and do you then get exactly the name that is configured?

welly_59 · ‎09-24-2018

Isn’t dnsquery = 0 meaning that it’s successfully resolved?

welly_59 · ‎09-24-2018

DMs lookup brings the whole fqdn- test.domain.local

I have just ‘test’ set as the name for internal host detection, but it’s returning dnsquery = 0 which means it has resolved ok?

vsys_remo · ‎09-24-2018

Normally 0 means false while 1 equals true. So if you set the host also to test.domain.local the internal host detection should work and the client will not connect from internal.

welly_59 · ‎09-24-2018

not for this.

0 = succesful

9003 = not succesful

9852 = no dns servers configured

https://live.paloaltonetworks.com/t5/Management-Articles/Most-Common-DNS-Query-Responses-for-Interna...

I just tried this from home, where im obviously off-LAN, and i get this:

(T10216) 09/24/18 19:18:04:105 Debug(1729): DnsQuery returns 9003
(T10216) 09/24/18 19:18:04:105 Debug(1744): Resolved x.x.x.x.IN-ADDR.ARPA for internal host detection with return value 9003
(T10216) 09/24/18 19:18:04:105 Debug(4040): NetworkDiscoverThread: network type is external.
(T10216) 09/24/18 19:18:04:105 Debug(4109): NetworkDiscoverThread: Discover external network.

vsys_remo · ‎09-24-2018

Good to know ...

ITSupportMedi · ‎09-26-2018

Hi,

Did you make any progress on this? I am going thru the exact same challenge. Should work but it does not. The only thing I have not tried yet is switching from On-Demand to User-Logon.

Thanks

Jim

rcarmack1970 · ‎12-09-2019

You must use Always-on when implementing internal host detection.

Internal host detection not Working