https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/78041#M15891 <P>Also managed to get this working by enabling the IPS blade (previously had firewall + IA + Mobile access only).</P><P>&nbsp;</P><P>fwaccel conns now shows the inbound and outbound connections with the 'S' flag (PXL enabled).</P> Thu, 12 Mar 2020 03:07:32 GMT chris_denham 2020-03-12T03:07:32Z https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/77311#M15734 <P>Hi i have upgraded a Cluster XL to 80.40</P><P>this cluster works only as firewall (NGTP or NGTX isn't active)</P><P>in the smartconsole is all green.</P><P>&nbsp;</P><P>dns query from internal to external doesn't work when secure xl is enabled.</P><P>if i disable secure xl the dns querys are working.</P><P>&nbsp;</P><P>have anyone the same problem?</P><P>how can i solve this? (have to wait for a new hotfix?)</P><P>&nbsp;</P><P>thanx all, regards</P><P>flo</P> Thu, 05 Mar 2020 14:50:27 GMT https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/77311#M15734 Florian_Maier 2020-03-05T14:50:27Z https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/77578#M15795 If disabling SecureXL "solves" a problem, it's a bug.<BR />Open a TAC case, please. Sun, 08 Mar 2020 01:18:53 GMT https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/77578#M15795 PhoneBoy 2020-03-08T01:18:53Z https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/77629#M15813 <P>I had the same problem.&nbsp;But there is a solution to bypass the DNS server IP.&nbsp;You can bypass SecureXL (green flow in the picture) as described.&nbsp;This will use the F2F path instead of the acceleration path.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20200308-183104_Edge.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/4749iF3310719CFB635D4/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot_20200308-183104_Edge.jpg" alt="Screenshot_20200308-183104_Edge.jpg" /></span></P> <P><SPAN>How to disable SecureXL for specific IP addresses? Edit the relevant table.def file, define the DNS Server IP addresses, whose traffic should&nbsp;</SPAN><EM>not</EM><SPAN>&nbsp;</SPAN><EM>be accelerated</EM><SPAN>. Y</SPAN><SPAN>ou can find more on this topic in this&nbsp;</SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk104468&amp;partition=Advanced&amp;product=SecureXL%22" target="_self" rel="nofollow noopener noreferrer">sk104468</A><SPAN>.</SPAN></P> <P>More read here:<BR /><A title="R80.x - Performance Tuning Tip - Control SecureXL / CoreXL Pathes" href="https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-Control-SecureXL-CoreXL-Pathes/m-p/72006/highlight/true#M14599" target="_self"><SPAN class="lia-message-read">- R80.x - Performance Tuning Tip - Control SecureXL / CoreXL Paths</SPAN></A><BR /><A href="https://community.checkpoint.com/docs/DOC-3041-r80x-security-gateway-architecture-logical-packet-flow" target="_blank" rel="noopener">- R80.x - Security Gateway Architecture (Logical Packet Flow)</A></P> <P>&nbsp;</P> Sun, 08 Mar 2020 17:34:25 GMT https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/77629#M15813 HeikoAnkenbrand 2020-03-08T17:34:25Z https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/77639#M15816 Obviously that's a workaround, but we should find out why we need to disable SecureXL for this. Mon, 09 Mar 2020 00:34:57 GMT https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/77639#M15816 PhoneBoy 2020-03-09T00:34:57Z https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/78040#M15890 <P>Experiencing the same issue after upgrading a Cluster to R80.40.</P><P>&nbsp;</P><P>Interestingly the DNS traffic goes through 2 x Clusters and the issue goes away after disabling SecureXL on one of them.</P><P>&nbsp;</P><P>We are using a bind DNS server, same issue using forwarders or root hints.</P><P>&nbsp;</P><P>Looks like the DNS reply packet is sent twice on the egress interface from the gateway, but is never visible in a tcpdump on the DNS server itself.</P> Thu, 12 Mar 2020 02:07:54 GMT https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/78040#M15890 chris_denham 2020-03-12T02:07:54Z https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/78041#M15891 <P>Also managed to get this working by enabling the IPS blade (previously had firewall + IA + Mobile access only).</P><P>&nbsp;</P><P>fwaccel conns now shows the inbound and outbound connections with the 'S' flag (PXL enabled).</P> Thu, 12 Mar 2020 03:07:32 GMT https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/78041#M15891 chris_denham 2020-03-12T03:07:32Z https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/79830#M16180 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/41747">@chris_denham</a>&nbsp;</P><P>works</P><P>but it's only a workaround.</P><P>any updates?</P><P>regards</P> Thu, 26 Mar 2020 15:57:39 GMT https://community.checkpoint.com/t5/General-Topics/cluster-xl-80-40-trouble-with-external-dns-querys/m-p/79830#M16180 Florian_Maier 2020-03-26T15:57:39Z