Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dkurochkin
Participant

delay between dns requests

task:

migrate from HA cluster to maestro cluster

so, as you might guess, there are two clusters
HA cluster and maestro cluster (80.20 SP)

they have the same configuration

have Microsoft AD server with dns server role

when this server connect to HA cluster -> works very well

if connect it to maestro cluster, then starts problem

very long delays between requests to receive NS servers
what is an obstacle to the commissioning of the maestro cluster

L4 distribution disabled
but that doesn't solve the problem

look at screen
delay 1,7 seconds !!!!

 

%%%%%%%%%%%%%

nslookup command:

 

 

cpanel.net
Server: UnKnown
Address: ::1

------------
Got answer:
HEADER:
opcode = QUERY, id = 86, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
cpanel.net.NOTARIAT.CORP, type = A, class = IN
AUTHORITY RECORDS:
-> notariat.corp
ttl = 1800 (30 mins)
primary name server = dlg-core-dc00.notariat.corp
responsible mail addr = hostmaster.notariat.corp
serial = 23397
refresh = 120 (2 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 1800 (30 mins)

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 87, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
cpanel.net.NOTARIAT.CORP, type = AAAA, class = IN
AUTHORITY RECORDS:
-> notariat.corp
ttl = 1800 (30 mins)
primary name server = dlg-core-dc00.notariat.corp
responsible mail addr = hostmaster.notariat.corp
serial = 23397
refresh = 120 (2 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 1800 (30 mins)

------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to UnKnown timed-out
>

 

 

so, why ???

0 Kudos
15 Replies
Chris_Atkinson
Employee
Employee

Can you please confirm the distribution settings used and the Jumbo level installed?

0 Kudos
dkurochkin
Participant

yes, i can

 

SMO

cpinfo -y all

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
No hotfixes..

[MGMT]
No hotfixes..

[CPFC]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

[FW1]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

FW1 build number:
This is Check Point's software version R80.20SP - Build 191
kernel: R80.20SP - Build 186

[SecurePlatform]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

[SMO]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

[PPACK]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

[CPinfo]
No hotfixes..

[DIAG]
No hotfixes..

[CVPN]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 331

[CPUpdates]
BUNDLE_INFRA_AUTOUPDATE Take: 55
BUNDLE_R80_20SP_JHF_MAIN Take: 331
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 23
BUNDLE_HCP_AUTOUPDATE Take: 57

[CPDepInst]
No hotfixes..

[AutoUpdater]
No hotfixes..

[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE

 

 

MHO

80.20 SP take 22

0 Kudos
Chris_Atkinson
Employee
Employee

There are some exceptions but I would expect the Jumbo to be similar on the MHO & SGMs.

To reiterate part of my previous question how do your distribution settings compare to those mentioned in the thread linked below, note disabling L4 is only part of the equation.

https://community.checkpoint.com/t5/Maestro/Maestro-Distribution-Mode/td-p/97759 

0 Kudos
Roman_Dario_Per
Employee
Employee

One question

Do you know if the DNS is over L2 I mean Firewall have 10.10.10.10 and DNS have 10.10.10.2 

But Firewall is not the Default Gateway 10.10.10.2 have 10.10.10.254 as default gateway. If does we are having asymetric routing there. fix the routing

 

Also you can uncheck the cluster synchorization for DNS on SmartConsole.

 

review if you have drops over zdebug

0 Kudos
dkurochkin
Participant

no ;(

 

schema:

 

win server  (AD + DNS) -> SMO -> internet (external DNS server)

 

0 Kudos
Chris_Atkinson
Employee
Employee

To clarify what is the Win server using as it's default route?

The traffic should traverse a Maestro data port and not Management to get to the internet per (sk179005).

 

0 Kudos
dkurochkin
Participant

yes of course

 

def gw for win server is maestro

not management port

0 Kudos
dkurochkin
Participant

any idea ?

0 Kudos
Chris_Atkinson
Employee
Employee

Refer above, you've not confirmed the current distribution mode or MHO Jumbo?

Beyond this you will likely need to engage with TAC to troubleshoot the issue.

0 Kudos
dkurochkin
Participant

current distribution mode or MHO Jumbo?

 

wrote, MHO 80.20SP take 22

distribution mode - for default, user mode (?)

 

TAC collects debugs and shrugs ;(

0 Kudos
Daniel_Szydelko
Collaborator

Which JHF Take? 22? Can you provide cpinfo -y all as well from MHO?

The current GA is Take_332 and Ongoing is Take_334 for MHO-140/170 and SGM's running R80.20SP. Is there any reason to keep MHO without latest JHF Take? Please correct me if I'm wrong but it isn't good starting point to troubleshoot environment when there isn't almost latest JHF installed.

0 Kudos
dkurochkin
Participant

[mho]#cpinfo -y all

This is Check Point CPinfo Build 914000182 for GAIA
[CPFC]
No hotfixes..

[IDA]
No hotfixes..

[MGMT]
No hotfixes..

[FW1]
No hotfixes..

FW1 build number:
This is Check Point's software version R80.20 - Build 255

[SecurePlatform]
HOTFIX_R80_20SP_MHO_JHF_MAIN

[PPACK]
No hotfixes..

[CPinfo]
No hotfixes..

[SMO]
HOTFIX_R80_20SP_JHF_MAIN

[CPUpdates]
BUNDLE_R80_20SP_JHF_MAIN_gogoKernel Take: 332

[rtm]
No hotfixes..

[Expert@dlg-mho-1:0]#

0 Kudos
Chris_Atkinson
Employee
Employee

In the perimeter environment you should use auto-topology (default) and for an internal gateway general mode.

Again this aligns to the resolution of the other thread I linked earlier reporting similar symptoms.

 

0 Kudos
dkurochkin
Participant

so, what can be reason for such strange behaviour?

which way to look?

0 Kudos
Daniel_Szydelko
Collaborator

Did you check any drops are available?:

g_fw ctl zdebug -t + drop

Did you check how traffic is going through Security Group? (I suppose this is single site, Security Group consists two SGM's):

g_tcpdump -nni any host x.x.x.x

 

0 Kudos