delay between dns requests

dkurochkin · ‎2022-08-17

task:

migrate from HA cluster to maestro cluster

so, as you might guess, there are two clusters
HA cluster and maestro cluster (80.20 SP)

they have the same configuration

have Microsoft AD server with dns server role

when this server connect to HA cluster -> works very well

if connect it to maestro cluster, then starts problem

very long delays between requests to receive NS servers
what is an obstacle to the commissioning of the maestro cluster

L4 distribution disabled
but that doesn't solve the problem

look at screen
delay 1,7 seconds !!!!

%%%%%%%%%%%%%

nslookup command:

cpanel.net
Server: UnKnown
Address: ::1

------------
Got answer:
HEADER:
opcode = QUERY, id = 86, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
cpanel.net.NOTARIAT.CORP, type = A, class = IN
AUTHORITY RECORDS:
-> notariat.corp
ttl = 1800 (30 mins)
primary name server = dlg-core-dc00.notariat.corp
responsible mail addr = hostmaster.notariat.corp
serial = 23397
refresh = 120 (2 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 1800 (30 mins)

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 87, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
cpanel.net.NOTARIAT.CORP, type = AAAA, class = IN
AUTHORITY RECORDS:
-> notariat.corp
ttl = 1800 (30 mins)
primary name server = dlg-core-dc00.notariat.corp
responsible mail addr = hostmaster.notariat.corp
serial = 23397
refresh = 120 (2 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 1800 (30 mins)

------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to UnKnown timed-out
>

so, why ???

Chris_Atkinson · ‎2022-08-17

Can you please confirm the distribution settings used and the Jumbo level installed?

CCSM R77/R80/ELITE

dkurochkin · ‎2022-08-17

yes, i can

SMO

cpinfo -y all

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
No hotfixes..

[MGMT]
No hotfixes..

[CPFC]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

[FW1]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

FW1 build number:
This is Check Point's software version R80.20SP - Build 191
kernel: R80.20SP - Build 186

[SecurePlatform]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

[SMO]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

[PPACK]
HOTFIX_R80_20SP_JHF_MAIN Take: 331

[CPinfo]
No hotfixes..

[DIAG]
No hotfixes..

[CVPN]
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 331

[CPUpdates]
BUNDLE_INFRA_AUTOUPDATE Take: 55
BUNDLE_R80_20SP_JHF_MAIN Take: 331
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 23
BUNDLE_HCP_AUTOUPDATE Take: 57

[CPDepInst]
No hotfixes..

[AutoUpdater]
No hotfixes..

[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE

MHO

80.20 SP take 22

Chris_Atkinson · ‎2022-08-18

There are some exceptions but I would expect the Jumbo to be similar on the MHO & SGMs.

To reiterate part of my previous question how do your distribution settings compare to those mentioned in the thread linked below, note disabling L4 is only part of the equation.

https://community.checkpoint.com/t5/Maestro/Maestro-Distribution-Mode/td-p/97759

CCSM R77/R80/ELITE

Dario_Perez · ‎2022-08-17

One question

Do you know if the DNS is over L2 I mean Firewall have 10.10.10.10 and DNS have 10.10.10.2

But Firewall is not the Default Gateway 10.10.10.2 have 10.10.10.254 as default gateway. If does we are having asymetric routing there. fix the routing

Also you can uncheck the cluster synchorization for DNS on SmartConsole.

review if you have drops over zdebug

dkurochkin · ‎2022-08-17

no ;(

schema:

win server (AD + DNS) -> SMO -> internet (external DNS server)

Chris_Atkinson · ‎2022-08-18

To clarify what is the Win server using as it's default route?

The traffic should traverse a Maestro data port and not Management to get to the internet per (sk179005).

CCSM R77/R80/ELITE

dkurochkin · ‎2022-08-18

yes of course

def gw for win server is maestro

not management port

dkurochkin · ‎2022-08-18

any idea ?

Chris_Atkinson · ‎2022-08-18

Refer above, you've not confirmed the current distribution mode or MHO Jumbo?

Beyond this you will likely need to engage with TAC to troubleshoot the issue.

CCSM R77/R80/ELITE

dkurochkin · ‎2022-08-19

current distribution mode or MHO Jumbo?

wrote, MHO 80.20SP take 22

distribution mode - for default, user mode (?)

TAC collects debugs and shrugs ;(

Daniel_Szydelko · ‎2022-08-19

Which JHF Take? 22? Can you provide cpinfo -y all as well from MHO?

The current GA is Take_332 and Ongoing is Take_334 for MHO-140/170 and SGM's running R80.20SP. Is there any reason to keep MHO without latest JHF Take? Please correct me if I'm wrong but it isn't good starting point to troubleshoot environment when there isn't almost latest JHF installed.

dkurochkin · ‎2022-08-19

[mho]#cpinfo -y all

This is Check Point CPinfo Build 914000182 for GAIA
[CPFC]
No hotfixes..

[IDA]
No hotfixes..

[MGMT]
No hotfixes..

[FW1]
No hotfixes..

FW1 build number:
This is Check Point's software version R80.20 - Build 255

[SecurePlatform]
HOTFIX_R80_20SP_MHO_JHF_MAIN

[PPACK]
No hotfixes..

[CPinfo]
No hotfixes..

[SMO]
HOTFIX_R80_20SP_JHF_MAIN

[CPUpdates]
BUNDLE_R80_20SP_JHF_MAIN_gogoKernel Take: 332

[rtm]
No hotfixes..

[Expert@dlg-mho-1:0]#

Chris_Atkinson · ‎2022-08-19

In the perimeter environment you should use auto-topology (default) and for an internal gateway general mode.

Again this aligns to the resolution of the other thread I linked earlier reporting similar symptoms.

CCSM R77/R80/ELITE

dkurochkin · ‎2022-08-20

so, what can be reason for such strange behaviour?

which way to look?

Daniel_Szydelko · ‎2022-08-21

Did you check any drops are available?:

g_fw ctl zdebug -t + drop

Did you check how traffic is going through Security Group? (I suppose this is single site, Security Group consists two SGM's):

g_tcpdump -nni any host x.x.x.x