https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65776#M9529 <P>Greetings!</P><P>I am seeing constant Alert error messages in our logs with reason: Firewall - Domain resolving error. Check DNS configuration on the gateway (0) .</P><P>Here are the statistics: R80.20, running on VSX, JHF Take 103 applied,&nbsp;</P><P>Initially I thought the issue was being caused by the fact that in VSX the DNS servers for each context are the same (SK152873 - a large oversight if you ask me but) so with some redesign I was able to find 3 common DNS targets that would work in this scenario. Once that was applied, I still am seeing tons of these alert errors.</P><P>From the CLI I am able to confirm that all of the VSX contexts resolve DNS using dig/nslookup etc so I am not sure why I would be seeing this behavior&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> Thu, 24 Oct 2019 13:38:10 GMT jbfixurpc_cew 2019-10-24T13:38:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65776#M9529 <P>Greetings!</P><P>I am seeing constant Alert error messages in our logs with reason: Firewall - Domain resolving error. Check DNS configuration on the gateway (0) .</P><P>Here are the statistics: R80.20, running on VSX, JHF Take 103 applied,&nbsp;</P><P>Initially I thought the issue was being caused by the fact that in VSX the DNS servers for each context are the same (SK152873 - a large oversight if you ask me but) so with some redesign I was able to find 3 common DNS targets that would work in this scenario. Once that was applied, I still am seeing tons of these alert errors.</P><P>From the CLI I am able to confirm that all of the VSX contexts resolve DNS using dig/nslookup etc so I am not sure why I would be seeing this behavior&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> Thu, 24 Oct 2019 13:38:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65776#M9529 jbfixurpc_cew 2019-10-24T13:38:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65806#M9530 <P>Hi,</P> <P>&nbsp;</P> <P>I guess you are using domain objects, right?</P> <P>&nbsp;</P> Thu, 24 Oct 2019 16:35:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65806#M9530 Ilya_Yusupov 2019-10-24T16:35:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65810#M9531 As a matter of fact, yes, were trying to do that. What I am failing to understand is that from an external resource I can generate DNS traffic to a DNS server behind the cluster, and I see the error appear in that manor, sometimes... It's completely hit or miss which is confusing to say the least, sometimes I see the hits with no alerts, other times with the alert "Firewall - Domain resolving error. Check DNS configuration on the gateway (0)" which makes no sense to ,e. Thu, 24 Oct 2019 16:41:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65810#M9531 jbfixurpc_cew 2019-10-24T16:41:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65844#M9532 <P>We had such issue in the past which should be solved.</P> <P>I will check it internaly and will update.</P> Thu, 24 Oct 2019 18:34:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65844#M9532 Ilya_Yusupov 2019-10-24T18:34:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65992#M9533 <P>Hi,</P> <P>&nbsp;</P> <P>the fix included in on going JHF take 117, if you can move to this take it will be great.</P> <P>if not i suggest to open a ticket for CP support to ask a port fix.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Ilya&nbsp;</P> Sun, 27 Oct 2019 10:13:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/65992#M9533 Ilya_Yusupov 2019-10-27T10:13:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/72302#M9534 <P>Hi Ilya,</P><P>&nbsp;</P><P>We have same issue on r80.30 HF take 111, can you check internaly if that fix was ported to r80.30 ?</P> Wed, 15 Jan 2020 10:58:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/72302#M9534 Khalid_Aftas 2020-01-15T10:58:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/72303#M9535 <P>Hi Khalid,</P> <P>&nbsp;</P> <P>The fix already included in R80.30 GA version so i suggest to open a TAC case and share it with me so i can check with RnD owners.</P> Wed, 15 Jan 2020 11:44:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/72303#M9535 Ilya_Yusupov 2020-01-15T11:44:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/73359#M9536 <P>Probably you have resolved it by now but if not make sure that TCP DNS lookups are allowed from your gateway</P> <P><A href="https://community.checkpoint.com/t5/General-Management-Topics/Domain-Objects-FQDN-An-Unofficial-ATRG/m-p/72958#M10845" target="_blank">https://community.checkpoint.com/t5/General-Management-Topics/Domain-Objects-FQDN-An-Unofficial-ATRG/m-p/72958#M10845</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 25 Jan 2020 12:55:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Clustering-R80-20-DNS-resolving-error-msg/m-p/73359#M9536 Kaspars_Zibarts 2020-01-25T12:55:23Z