This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2022-06-14 06:46 AM
Jump to solution

VPN / Mac Monterey OS access by fqdn

Hey guys,

I know the percentage of people using Mac machines in their corporate environment is not that large, but hope to confirm if someone may had encountered the same issue. We had a case with TAC on this and it appears that for users who have monterey OS, when they connect with VPN client, either regular or harmony endpoint, they can access anything by IP address, but not fqdn (so say server resolved to abcd and IP is 10.11.12.13, they can access it by IP, but NOT fqdn).

If they do this on Catalina OS, then works fine. To me, that clearly indicates OS problem, but could not find an official statement on CP website about this. If anyone had similar issue, can you please let me know.

Thanks as always!

0 Kudos
32 Replies
RuiRibeiro
Contributor
Thursday
In response to the_rock
Jump to solution

@the_rock wrote:

Same behavior on E88.30?

Sorry, was not explicit. With E88.30, I am getting "No response from gateway for 1st packet", only E88.00 is working as supposed.

0 Kudos
the_rock
Legend
Legend
Thursday
In response to RuiRibeiro
Jump to solution

Check below, but I would also do some basic vpn debugs.

Andy

https://community.checkpoint.com/t5/Remote-Access-VPN/Remote-Access-VPN-No-response-from-gateway-for...

0 Kudos
the_rock
Legend
Legend
‎2023-03-17 07:21 AM
Jump to solution

Hey guys,

Sorry to update this threat few months later, but in case anyone else has this problem, we had a case with TAC escalations team and once they discussed the issue with R&D, this was their response (customer removed 8.8.8.8 dns server from the list (this is under gateway object in dashboard -> vpn clients -> office mode -> optional parameters). Customer had 3 servers there, 2 internal and then secondary backup as 8.8.8.8

R&D statement (which makes total sense). Also, just as a side note, you can leave google dns in web UI in dns list (hosts and dns)

**************************************

Here is RnD's statement:

You shouldn't mix internal and external DNS servers, it's not a backup\fallback server, the OS (any OS) treats them as equal and you can't rely on your internal domains resolved through the 'right' server.You also don't have this server in the encryption domain so no reason for you to see these 8.8.8.8 DNS requests on your gateway. For another external fallback option the OS already has the DNS server configured on the physical interface so again, no point in having this one configured on the tunnel.In iOS 16 Apple made some changes to prefer encrypted DNS when available and as 8.8.8.8 supports DoH/DoT it prefers to resolve addresses using this server.In addition, in what clearly seems like an iOS bug, even if you have this server in the encryption domain they contact this DoH-supporting DNS server outside the VPN tunnel (it is encrypted DNS but still, it means internal resources will fail to resolve).TL:DR

Adding 8.8.8.8 never actually did anything for you and in iOS 16 this just breaks things so it is simply recommended to remove it.

*******************************************************

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events