Unable to resolve FQDN after upgrading PAN OS to 10.1.5 - " ping: unknown host FQDN"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to resolve FQDN after upgrading PAN OS to 10.1.5 - " ping: unknown host FQDN"

L1 Bithead

Hi Every one, 

 

We have recently upgraded PA-820 to PA-OS 10.1.5. After that, we observed we cannot resolve any FQDN from the firewall.

 

*. We have verified the DNS setting Device>Setup>Services> Primary as 8.8.8.8 and local. 

*. We have tested by changing the service route of DNS to LAN, WAN, and default and allowed complete access in policy still no use.

*. We have restarted MGMT server and DNS-Proxy process but still, no use getting errors as " ping: unknown host FQDN" 

* Also observed it is working file in machines behind this firewall. Only unable to resolve from firewall CLI.

 

Can anyone please help me to address this issue.

1 accepted solution

Accepted Solutions

Hi @OtakarKlier :

 

PA TAC Update is :

 

This behavior is observed on PAN 10.1.6.There is no target fix for this bug.

As the resolution is either remove the domain name (if not required) and if required then there should not be any space.
PAN-196841 will be fixed as with same configuration we observed that content and dynamic updates working fine on PAN OS 10.1.3.
The issue was due to invalid domain string name configured on the firewall under General setting>>Domain.
Device --> Setup --> Management --> General Settings --> Domain -->
+We removed the domain and issue got fixed.

Recently there was a fix added to validate all hostname/domain name strings from sysdagent. Hence quite possible that this string was accepted in earlier versions

 

View solution in original post

10 REPLIES 10

L1 Bithead

you're not alone on this one i am running 10.1.5. i have been dealing with this issue for the past week or so. I am looking at upgrading to 10.1.6 since it was recently approved as the preferred release. my set up is pretty simple it's only a palo 440 trunked to a cisco 2960xr. i have thrown just about everything at it and still no luck. 

Cyber Elite
Cyber Elite

Hello,

Looks like 10.1.6 is the prefered release. I'm running it and have not seen the issue you are describing.

 

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

Regards,

L1 Bithead

@JuanRodriguezIT  and @OtakarKlier : Thanks for your reply. Is there any other workaround except the PAN-OS upgrade?

if you don't want to upgrade i would go back to the previous version. i am looking at upgrading to 10.1.6 but obviously needs to be done after hours. @OtakarKlier mentioned he has no issues so I am hoping that will fix my issue because as i mentioned I've hit this thing from all angles except downgrading or upgrading 😞

L1 Bithead

Hi,

 

I have upgraded the PAN-OS to 10.1.6, But still the Same Issue, Unable to resolve FQDN getting " Unknow Host: www.google.com"

 

Need Help to address the issue.

Cyber Elite
Cyber Elite

Hello,

I would say opening a support case would be in order. I'd be interested to see what they have to say.

Regards,

Hi @OtakarKlier :

 

PA TAC Update is :

 

This behavior is observed on PAN 10.1.6.There is no target fix for this bug.

As the resolution is either remove the domain name (if not required) and if required then there should not be any space.
PAN-196841 will be fixed as with same configuration we observed that content and dynamic updates working fine on PAN OS 10.1.3.
The issue was due to invalid domain string name configured on the firewall under General setting>>Domain.
Device --> Setup --> Management --> General Settings --> Domain -->
+We removed the domain and issue got fixed.

Recently there was a fix added to validate all hostname/domain name strings from sysdagent. Hence quite possible that this string was accepted in earlier versions

 

Further to this I have found it only seems to affect Panorama-pushed config. In testing this did not impact us when the domain name was entered locally on the firewall rather than being pushed from Panorama.

Hello, may i ask what Pan-OS are you running? I had to go down to 10.1.4h4 to make this fqdn issue resolved. 

We are on PANOS 10.1.6-h6

  • 1 accepted solution
  • 7837 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!