Hey @PhoneBoy ...thanks for feedback. So do you think this could be some fw setting issue or something missing on mac itself? WE added dns suffix on gateway vpn optional parameters as CPiOSDefaultDNS besides actual dns suffix, but that did not change the behavior.

Any idea?  Are you able to access internal resources when connected via vpn by fqdn?

Same, been using EndPoint Security in Monterey for 7+ Months and not having big issues. Seems far more stable than in Windows. The only issue is sometimes after sleeping with the VPN open, upon opening the lid, I have the local DNSes and not the VPN provided DNSes.

If i had to guess, seems more a case of DNS setup/lack of routing, or issues between full and split VPN.

what dns servers/dns suffixes are you using in dashboard/web ui/mac settings? We tried so many options and no luck. Its a split vpn by the way. Funny thing is say if I try from my home macbook air to access AD servers by name, it fails, but works for another server. I believe customer has users that have random issues like that too. I dont know if its related to IA agent, but seems even when iA agent is connected, its not any better.

I'm accessing internal resources via FQDN.
I assume the issue is a configuration issue somewhere (not able to reach the configured DNS server). 

I dont get it...when Im vpn-ed in, I can ping both dns servers fine, no issues. So, not sure if its gateway related or something else.

Have you done a tcpdump from the gateway when the Mac is trying to do a DNS lookup?
Possible the packets are getting dropped somewhere, but that seems a logical place to start looking.

will do...one question though. Do you think that the fact customer used split tunnel could be an issue? I dont see how, since all this works fine on windows, just NOT mac

If the customer is subverting/deleting the default VPN gateway to have a split tunnel, specific routes for the DNS servers networks might have to be created (and who knows what else more)

Im sure if routing was the issue, then this would never work on windows machines either, agree?

Split tunnel in use here, so doubt that.

Full and split here. The point if not being or not possible, is people creating the needed routes/knowing what they are doing.

But it seems odd Windows doing it and Mac not indeed if both are doing split routing.

Beware DoH in Windows 10/11/2022.

Does the client have Private Relay enabled? That sends all DNS traffic via Apple's relay system to public DNS servers. I could definitely see it causing weird behavior like this for names which can only be resolved inside a company's network.

I read online about it, let me test myself from personal macbook and will update! tx @Bob_Zimmerman 

I dont think that is it sadly...I dont even have that on and its same issue.

Did tcpdump and fw monitor, exact SAME output when I test windows or mac. I really dont understand this...makes no logical sense to me.

If I do nslookup on macbook, comes back fine, resolves to right IP/name, so thats not the problem. I asked engineer in TAC I was working with to consult with endpoint team about this, since its 100% clear now it could be version of the client used, as customer told me that some older versions work, but not newer ones. Apple senior adviser is also absolutely right,if access by fqdn works when off VPN (which it does), then its not Monterey OS issue and I agree with him.

When you use nslookup, does it show it's asking the internal DNS server which is only accessible over the VPN?

If that works without specifying a server manually, that means the VPN client is properly telling the system about the new DNS server. That in turn suggests it may be an issue with the client application. Some client software (in particular, Chrome) does its own DNS lookups without involving the system's resolver.

Its not...internal dns server is not accessible only via vpn. I will take it further with TAC. Thanks guys for all your inputs.

I am using E88 and still losing VPN DNS servers after the machine going to screen saver while connected to VPN.

I am using now a workaround where I define private DNS servers for our internal domains at /etc/resolver and it works like a charm.

ruiribeiro@Ruis-MBP-2 resolver % cat xx.pxlocal
domain xx.pxlocal
nameserver 10.1.1.1

nameserver 10.1.1.2
search_order 1
timeout 10

Hey,

I see this post was from while back, apologies, did not deal with this in some time. You are saying even with newest EPS client you have the issue? Is it standalone VPN client or EDR?

Andy

---

@the_rock wrote:

Hey,

You are saying even with newest EPS client you have the issue? Is it standalone VPN client or EDR?

Andy

---

It is a standalone VPN client.

Might be worth TAC case then.

Did you try E88.30? https://support.checkpoint.com/results/sk/sk182110 

E88.30 seems to not work for me for now, had to go back to E88.00.

---

@PhoneBoy wrote:

Did you try E88.30? https://support.checkpoint.com/results/sk/sk182110 

---

Same behavior on E88.30?