Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jerry
Leader
Leader

Domain resolving error. Check DNS configuration on the gateway (0) - bug in R80.40?

Jump to solution

sk120558 does not apply - just FYI

 

problem is as self-explained by the screenshot. please have a look.

it is all fresh R80.40 all-in-one dual-stack infrastructure.

error is just an ALERT not BLOCK/DROP/DENY - just so you know 🙂

 

see the screen and tell me if you find any clues as I'm struggling to find any

 

1. DNS resolution works on v4 /both = fwd/rev

2. DNS resolution works on v6 /rev only! wonder why ...

ps. resolution from the gateway nslookup'ing or dig'ing - dig resolves ALL - nslookup resolves v6 only REV not FWD queries!

 

I think I found the bug chaps! see my screenshot.

error-alert.jpg

Cheers

Jerry
0 Kudos
Reply
38 Replies
Jerry
Leader
Leader

and 2 records to be specific @Ilya_Yusupov 2.png1.png

Jerry
0 Kudos
Reply
Jerry
Leader
Leader

hi guys

 

just to give you an update on the case:

 

1. please note that unless confirmed otherwise later on this week we have found the reasons and we're able to complete RCA 🙂

we found sort of intermitent solution for THESE issues on Alerts with Domain DNS errors.

 

[Expert@cp:0]# cpwd_admin list | grep wsdnsd
WSDNSD 12288 E 1 [14:01:13] 16/6/2020 Y wsdnsd

above process (when dns server changes occur on gaia (clish/webui) is not restarting itself but preserves old configuration before "save config". this process need to be kill -9 so it can re-start and start using new settings - then Alerts are gone untill you reboot the entire appliance / vm / gaia device.

I'm yet to confirm that when rebooting my core R80.40 lab device but if reboot brings "no Alerts" in logs then off we go we do know where is the issue.

 

the responsible blocke is called WSDNSD (Daemon) which hold configuration and only cpstop/cpstart/cprestart or reboot restarts its configuration (clish>show configuraiton dns).

I'm on investigation still but it all looks promising, hope you get my point and make your own testes in your labs confirming what we found yesteday

 

thanks to @iliyam and @mickey for their time and heads-up - R&D folks ROCKS! as alwasy - pleasure is all mine 🙂

 

Will do update you with any new development should reboot of the gaia change WSDNSD process stance, but so far so good and no new log Aleter entires are produced and issues on the latest R80.40 gaia (either StandAlone or SG distributed - just test tested today).

 

Cheers!

Jerry
Per_Arnbo
Explorer

Thanks, That kill -9 wsdnsd just worked for me, we had the issue after a having an issue with one of the SG 5900 models in our Cluster (we run 80.20. Take 87)  

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

In my case, it is suggested that the above error is only a follow-up error for the likes of:

Firewall  -  Protocol violation detected with protocol:(RTP), matched protocol sig_id:(1), violation sig_id:(10). (500)

Firewall  -  Protocol violation detected with protocol:(DNS-UDP), matched protocol sig_id:(16), violation sig_id:(17). (500)

Can you find these, too?

0 Kudos
Reply
Jerry
Leader
Leader
as far as I can see I do not have "Protocol violation detected" error just Alerts about DNS Configuration problem on SG - which aparently isn't the case to some extent as if I do fwd-dns or rev-dns resolutions they work just fine, except that gaia 3.10 is unable to resolve ipv6 rev-dns once your DNS server is dual-stack, what it means is that your Win2019 DNS server being configured with zones and sub-domains on ipv4 and ipv6 separately so that Gaia is not accurately resolving names from that type of DNS setup. For example, when I ask gaia by dig:

dig google.com

I have a result of:

[Expert@cp13k:0]# dig google.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp994000013 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20307
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 273 IN A 216.58.213.110

;; Query time: 29 msec
;; SERVER: a.b.c.d#53(a.b.c.d)
;; WHEN: Tue Jun 9 15:03:59 2020
;; MSG SIZE rcvd: 44

*** where a.b.c.d is the IPv4 address of my Win2019 DC DNS server ***

but if I do ask by dig as following:[Expert@cp13k:0]# dig google.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp994000013 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35792
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 104 IN A 216.58.213.110

;; Query time: 1 msec
;; SERVER: a.b.c.d::5#53(a.b.c.d::5)
;; WHEN: Tue Jun 9 15:06:48 2020
;; MSG SIZE rcvd: 44

*** where a.b.c.d::5 is the IPv6 address of my Win2019 DC DNS server ***

--- summary ---

where your infra is dual-stack (v4/v6) also with DNS resolutions your problems mounts 🙂 especially when your IPv6 is only INTERNAL and does not resolve INTERNET based IPv6 Public IP addresses as your ISP is yet fully IPv4 only.

Cheers

Jerry
0 Kudos
Reply
SaffaRamma
Participant

Was there ever any solution to this? I am experiencing EXACTLY the same issue after an upgrade to R80.40 from R80.30!

0 Kudos
Reply
Jerry
Leader
Leader

well, afaik R81 JHF 10 fixes it all 🙂 

Jerry
0 Kudos
Reply
Ilya_Yusupov
Employee
Employee

Hi,

If you still have an issue can you please share fw ctl affinity -l -r -v output?

0 Kudos
Reply
SaffaRamma
Participant

Hi Ilya,

As per the below - this is the output of the R80.40 gateway

 

CPU 0:
CPU 1:
CPU 2: fw_27
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 3: fw_25
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 4: fw_23
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 5: fw_21
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 6: fw_19
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 7: fw_17
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 8: fw_15
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 9: fw_13
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 10: fw_11
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 11: fw_9
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 12: fw_7
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 13: fw_5
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 14: fw_3
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 15: fw_1
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 16:
CPU 17:
CPU 18: fw_26
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 19: fw_24
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 20: fw_22
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 21: fw_20
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 22: fw_18
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 23: fw_16
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 24: fw_14
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 25: fw_12
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 26: fw_10
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 27: fw_8
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 28: fw_6
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 29: fw_4
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 30: fw_2
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
CPU 31: fw_0
in.asessiond in.geod topod lpd rtmd vpnd wsdnsd mpdaemon pepd pdpd fwd cpd cprid
All:
Interface Sync: has multi queue enabled
Interface eth2-01: has multi queue enabled
Interface eth2-02: has multi queue enabled
Interface eth1-01: has multi queue enabled
Interface eth1-02: has multi queue enabled
Interface eth1-03: has multi queue enabled
Interface eth1-04: has multi queue enabled

0 Kudos
Reply