Re: Domain Object .smtp.office365.com Issue

K_montalvo · ‎2021-08-19

Hello friends,

I'm experiencing a connection issue with domain object .smtp.office365.com since last week. The situation is on a 5000 appliance running R80.30 standalone. We had not do any changes on the FW or internal network recently, troubleshooting was made from the endpoint which is a printer with the scan to email but error on screen is that cannot contact server. If i remove on the printer_to_O365 rule the domain object and use All Internet or Any it works perfectly. On the logs i see that pass using public IP addresses but i want it to work with domain object via DNS as always. On the logs using domain object i get a drop matching the cleanup rule however the rule is permitted on top and has always been configured like that and working fine. I executed a reboot to the Gateway yesterday and did not worked.

Is there's any command to clear the DNS cache or troubleshoot this issue?

Also tried with different DNS servers one private and the big search engine but no success;

]# nslookup smtp.office365.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
smtp.office365.com canonical name = outlook.office365.com.
outlook.office365.com canonical name = outlook.ha.office365.com.
outlook.ha.office365.com canonical name = outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com canonical name = LYH-efz.ms-acdc.office.com.
Name: LYH-efz.ms-acdc.office.com
Address: 52.96.29.82
Name: LYH-efz.ms-acdc.office.com
Address: 52.96.182.2
Name: LYH-efz.ms-acdc.office.com
Address: 52.96.28.178
Name: LYH-efz.ms-acdc.office.com
Address: 52.96.28.2

]#

[Expert]# nslookup smtp.office365.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
smtp.office365.com canonical name = outlook.office365.com.
outlook.office365.com canonical name = outlook.ha.office365.com.
outlook.ha.office365.com canonical name = outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com canonical name = MNZ-efz.ms-acdc.office.com.
Name: MNZ-efz.ms-acdc.office.com
Address: 52.96.90.50
Name: MNZ-efz.ms-acdc.office.com
Address: 52.96.87.242
Name: MNZ-efz.ms-acdc.office.com
Address: 52.96.179.226
Name: MNZ-efz.ms-acdc.office.com
Address: 52.96.183.34

[Expert#

Thanks,

PhoneBoy · ‎2021-08-19

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

You may also want to leverage (not necessarily to solve the issue at hand): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

K_montalvo · ‎2021-08-19

@PhoneBoy i completed the configuration as on sk157493 but did not worked yet, is there's a command i can use reset DNS cache without rebooting the Gateway?

[Expert@# fw tab -t dns_reverse_cache_tbl
localhost:
-------- dns_reverse_cache_tbl --------
dynamic, id 169, num ents 0, load factor 0.0, attributes: keep, expires 1, , has hsize 512, limit 50000

[Expert@]#

PhoneBoy · ‎2021-08-19

If that was your output of fw tab -t dns_reverse_cable_tbl, then there are no entries in it, otherwise it would list entries in that table.

Here's a couple things I suggest before opening a TAC case if you haven't already:

verify that WSDNSD process is up and running by running the following command: cpwd_admin list
In case WSDNSD is not running run the following command to turn it on: cpwd_admin start -name WSDNSD -path "$CPDIR/bin/wsdnsd" -command "wsdnsd"
See if there are any messages in $FWDIR/log/wsdnsd.elg
See also: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

K_montalvo · ‎2021-08-20

Good morning @PhoneBoy , thanks for your support and fast response. I verify and the WSDNSD service is running, is there's a command to clear the DNS cache from the security gateway CLI ?

[Expert@]# cpwd_admin list | grep WSDNSD
WSDNSD 14061 E 1 [17:59:14] 18/8/2021 Y wsdnsd
[Expert@0]#

mcatanzaro · ‎2021-08-20

Were you able to use domains_tool against the domain in the object and the dropped IP address/addresses in the logs? That tool is very helpful for gaining insight into issues with domain objects.

K_montalvo · ‎2021-08-23

Hello @mcatanzaro Ive been trying with domains_tool (sk161632) without success.

When i tried to see a list of all domains that belong to the Updatable Object 'smtp.office35.com' when it is used in the policy with the following command:

domains_tool -uo "smtp.office35.com"

I get this output;

[Expert@]# domains_tool -uo "smtp.office35.com"
The updatable object smtp.office35.com not found
]#

Also for system troubleshooting i get the below output:

Expert@]# domains_tool -report
ERROR: wrong number of arguments
[Expert@]#

Could you or anyone guide me on what im missing? Any other recommendations are welcome,

Many thanks!

K_montalvo · ‎2021-08-23

Been reading about this and seems its a old issue and cant found a solution yet. Its seems that Domains Object should only be used when resolve to one IP Address and not multiple IP. Is there's any other object i should use for multiple IP and try to resolved this issue?

PhoneBoy · ‎2021-08-23

It should work if the DNS resolves to multiple IPs.
Sounds like you should get the TAC involved if you haven't already.

GiveMePaloAlto · ‎2024-01-10

Same issue here. I guess it will never be fixed?

the_rock · ‎2024-01-10

100% works in R81.20

Andy

Best,
Andy

Are you a member of CheckMates?

Domain Object .smtp.office365.com Issue