This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sklotz
Participant
a month ago

Issue with DNS resolution in browser when connected via Checkpoint mobile client

Not sure if this is really a VPN and/or Checkpoint issue, but as of now it looks like with the following strange behavior.
When users are connected via VPN and browsing websites with internal DNS-names, the browser sometimes through the error message DNS hostname could not be resolved. Also ping the hostname is affected. Only a dedicated nslookup is working fine.
Our first idea/finding was that it might be related to a missing metric entry for the VPN-adapter, but setting this metric manually didn't change anything.
Then we tried to sniffer the DNS-queries on the Checkpoint FW (which terminates the VPN) and we see both the DNS-request as well as the response once we hit refresh in the browser. This means the client is sending the DNS-querie via the correct interface, but it looks like the client (browser or ping) doesn't react on the DNS response.
Do you have any further idea how to troubleshoot or analyze this issue? Or do you already know, what's the reason for this?
We are running on 81.10.
Thank you!

Regards,
Stefan

(1)
7 Replies
Arne_Boettger
Collaborator
4 weeks ago

Hello,

we are seeing a similar issue, but with Windows Clients connectiong to R81.20. A Wireshark on the VPN Client clearly shows DNS Queries and Responses, but the client still can not resolve the hostname.

Could it be a recent Windows Update?

Kind regards, Arne

(1)
sklotz
Participant
3 weeks ago
In response to Arne_Boettger

It might be related to IPv6, we disabled it now on the Checkpoint and WLAN adapter and since then no further issues.
I'm also checking with Checkpoint official support on that topic, but when I read sk182212, it might be the reason here.
I'll keep you updated.

Regards,
Stefan

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to sklotz

Yes, our Remote Access clients do not support IPv6 currently.

0 Kudos
Arne_Boettger
Collaborator
3 weeks ago
In response to sklotz

Hello,

I try not to see disabling IPv6 as a solution to anything, because eventually we want to disable IPv4. But it might be related to IPv6 connectivity on the non-VPN interfaces. I did not completely understand sk182212 - are the mentioned IPv6 features already in the generally available Endpoint Clients? 

kind regards, Arne

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to Arne_Boettger

Not as far as I know.
In any case, what's mentioned in sk182212 is support for clients in a NAT64 scenario.
The actual VPN is still IPv4 and doesn't support IPv6.

0 Kudos
sklotz
Participant
a week ago
In response to PhoneBoy

It seems we could identify to root cause and also found a confirmation with another FW-vendors knowledge base here.
It's a Windows related issue, if IPv6 is enabled on the interface (most likely the WLAN-adapter), where the VPN-tunnel is connected to. By default Windows performs a A and AAAA DNS-lookup simultaniously and prefers the AAAA response.
We will double check this in our environment, if the issue occurs again.
But as of now this sounds verify promising.
Thank you!

Regards,
Stefan

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to sklotz

That seems like a plausible explanation for the issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events