Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
K_montalvo
Contributor

Domain Object .smtp.office365.com Issue

Hello friends,

I'm experiencing a connection issue with domain object .smtp.office365.com since last week. The situation is on a 5000 appliance running R80.30 standalone. We had not do any changes on the FW or internal network recently, troubleshooting was made from the endpoint which is a printer with the scan to email but error on screen is that cannot contact server. If i remove on the printer_to_O365 rule the domain object and use All Internet or Any it works perfectly. On the logs i see that pass using public IP addresses but i want it to work with domain object via DNS as always. On the logs using domain object i get a drop matching the cleanup rule however the rule is permitted on top and has always  been configured like that and working fine. I executed a reboot to the Gateway yesterday and did not worked.

Is there's any command to clear the DNS cache or troubleshoot this issue?

 

Also tried with different DNS servers one private and the big search engine but no success;

]# nslookup smtp.office365.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
smtp.office365.com canonical name = outlook.office365.com.
outlook.office365.com canonical name = outlook.ha.office365.com.
outlook.ha.office365.com canonical name = outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com canonical name = LYH-efz.ms-acdc.office.com.
Name: LYH-efz.ms-acdc.office.com
Address: 52.96.29.82
Name: LYH-efz.ms-acdc.office.com
Address: 52.96.182.2
Name: LYH-efz.ms-acdc.office.com
Address: 52.96.28.178
Name: LYH-efz.ms-acdc.office.com
Address: 52.96.28.2

]#

 

[Expert]# nslookup smtp.office365.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
smtp.office365.com canonical name = outlook.office365.com.
outlook.office365.com canonical name = outlook.ha.office365.com.
outlook.ha.office365.com canonical name = outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com canonical name = MNZ-efz.ms-acdc.office.com.
Name: MNZ-efz.ms-acdc.office.com
Address: 52.96.90.50
Name: MNZ-efz.ms-acdc.office.com
Address: 52.96.87.242
Name: MNZ-efz.ms-acdc.office.com
Address: 52.96.179.226
Name: MNZ-efz.ms-acdc.office.com
Address: 52.96.183.34

[Expert#

 

Thanks,

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

K_montalvo
Contributor

@PhoneBoy  i completed the configuration as on sk157493  but did not worked yet, is there's a command i can use reset DNS cache without rebooting the Gateway?

 

[Expert@# fw tab -t dns_reverse_cache_tbl
localhost:
-------- dns_reverse_cache_tbl --------
dynamic, id 169, num ents 0, load factor 0.0, attributes: keep, expires 1, , has hsize 512, limit 50000

[Expert@]#

0 Kudos
PhoneBoy
Admin
Admin

If that was your output of fw tab -t dns_reverse_cable_tbl, then there are no entries in it, otherwise it would list entries in that table.

Here's a couple things I suggest before opening a TAC case if you haven't already:

 

K_montalvo
Contributor

Good morning @PhoneBoy , thanks for your support and fast response. I verify and the WSDNSD service is running, is there's a command to clear the DNS cache from the security gateway CLI ?

[Expert@]# cpwd_admin list | grep WSDNSD
WSDNSD 14061 E 1 [17:59:14] 18/8/2021 Y wsdnsd
[Expert@0]#

 

 

0 Kudos
mcatanzaro
Employee
Employee

Were you able to use domains_tool against the domain in the object and the dropped IP address/addresses in the logs? That tool is very helpful for gaining insight into issues with domain objects.

0 Kudos
K_montalvo
Contributor

Hello @mcatanzaro Ive been trying with domains_tool (sk161632) without success.

When i tried to see a list of all domains that belong to the Updatable Object 'smtp.office35.com' when it is used in the policy with the following command:

domains_tool -uo "smtp.office35.com"

I get this output;

[Expert@]# domains_tool -uo "smtp.office35.com"
The updatable object smtp.office35.com not found
]#


Also for system troubleshooting i get the below output:

Expert@]# domains_tool -report
ERROR: wrong number of arguments
[Expert@]#


Could you or anyone guide me on what im missing? Any other recommendations are welcome,

Many thanks!

0 Kudos
K_montalvo
Contributor

Been reading about this and seems its a old issue and cant found a solution yet. Its seems that Domains Object should only be used when resolve to one IP Address and not multiple IP. Is there's any other object i should use for multiple IP and try to resolved this issue?

0 Kudos
PhoneBoy
Admin
Admin

It should work if the DNS resolves to multiple IPs.
Sounds like you should get the TAC involved if you haven't already.

0 Kudos