This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
jbfixurpc_cew
Explorer
‎2019-10-24 06:38 AM

VSX Clustering R80.20 DNS resolving error msg

Greetings!

I am seeing constant Alert error messages in our logs with reason: Firewall - Domain resolving error. Check DNS configuration on the gateway (0) .

Here are the statistics: R80.20, running on VSX, JHF Take 103 applied, 

Initially I thought the issue was being caused by the fact that in VSX the DNS servers for each context are the same (SK152873 - a large oversight if you ask me but) so with some redesign I was able to find 3 common DNS targets that would work in this scenario. Once that was applied, I still am seeing tons of these alert errors.

From the CLI I am able to confirm that all of the VSX contexts resolve DNS using dig/nslookup etc so I am not sure why I would be seeing this behavior 

 
0 Kudos
7 Replies
Ilya_Yusupov
Employee
Employee
‎2019-10-24 09:35 AM

Hi,

 

I guess you are using domain objects, right?

 

0 Kudos
jbfixurpc_cew
Explorer
‎2019-10-24 09:41 AM
In response to Ilya_Yusupov

As a matter of fact, yes, were trying to do that. What I am failing to understand is that from an external resource I can generate DNS traffic to a DNS server behind the cluster, and I see the error appear in that manor, sometimes... It's completely hit or miss which is confusing to say the least, sometimes I see the hits with no alerts, other times with the alert "Firewall - Domain resolving error. Check DNS configuration on the gateway (0)" which makes no sense to ,e.
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-10-24 11:34 AM
In response to jbfixurpc_cew

We had such issue in the past which should be solved.

I will check it internaly and will update.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2019-10-27 03:13 AM
In response to Ilya_Yusupov

Hi,

 

the fix included in on going JHF take 117, if you can move to this take it will be great.

if not i suggest to open a ticket for CP support to ask a port fix.

 

Thanks,

Ilya 

0 Kudos
Khalid_Aftas
Contributor
‎2020-01-15 02:58 AM
In response to Ilya_Yusupov

Hi Ilya,

 

We have same issue on r80.30 HF take 111, can you check internaly if that fix was ported to r80.30 ?

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-01-15 03:44 AM
In response to Khalid_Aftas

Hi Khalid,

 

The fix already included in R80.30 GA version so i suggest to open a TAC case and share it with me so i can check with RnD owners.

0 Kudos
Kaspars_Zibarts
Authority
Authority
‎2020-01-25 04:55 AM

Probably you have resolved it by now but if not make sure that TCP DNS lookups are allowed from your gateway

https://community.checkpoint.com/t5/General-Management-Topics/Domain-Objects-FQDN-An-Unofficial-ATRG...

 

 

0 Kudos