Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PC behind Meraki MX84 could not communicate with DNS servers on other side of VPN behind CheckPoint

Solved
RH6379
Getting noticed
‎Nov 20 2018 8:23 AM
‎Nov 20 2018 8:23 AM

PC behind Meraki MX84 could not communicate with DNS servers on other side of VPN behind CheckPoint

We had an issue yesterday where a PC at a remote site could not communicate with the DNS servers at our HQ over the VPN tunnel we established between the MX84 at the Remote Site and the CheckPoint Firewall at HQ.  The MX84 is the DHCP server and we manually entered the IP Addresses for the DNS servers to assign to the clients.  All clients except for this one worked.  I ended up resolving the issue by assigning the workstation a different IP Address in the Workstation VLAN through a Reservation on the MX84 DHCP Settings.  Then, it worked just like the others.  Could the issue with the original IP communications not being sent across the VPN tunnel be an incomplete arp entry or something else?  I've only seen this a handful of times in my 20+ year career, but never really resolved it other than changing the IP Address.  We rebooted the MX84, but that didn't help either.

0 Kudos
Subscribe
1 Accepted Solution
In response to mat1458
RH6379
Getting noticed
‎Nov 20 2018 10:01 AM
‎Nov 20 2018 10:01 AM

We weren't able to ping the DNS servers or run an nslookup against them.  After further investigating, the CheckPoint firewall wasn't seeing communications from that IP coming over the tunnel so the rules dropped that.  Also, there was a high number of dns queries coming in so it got flagged by the checkpoint as suspicious activity.  The CheckPoint sees the new IP of the laptop as coming over the tunnel so it's being allowed.

 

 

@mat1458 wrote:

If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC?  If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?

 

View solution in original post

0 Kudos
Subscribe
3 Replies 3
mat1458
Getting noticed
‎Nov 20 2018 9:00 AM
‎Nov 20 2018 9:00 AM

If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC?  If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?

0 Kudos
Subscribe
In response to mat1458
RH6379
Getting noticed
‎Nov 20 2018 10:01 AM
‎Nov 20 2018 10:01 AM

We weren't able to ping the DNS servers or run an nslookup against them.  After further investigating, the CheckPoint firewall wasn't seeing communications from that IP coming over the tunnel so the rules dropped that.  Also, there was a high number of dns queries coming in so it got flagged by the checkpoint as suspicious activity.  The CheckPoint sees the new IP of the laptop as coming over the tunnel so it's being allowed.

 

 

@mat1458 wrote:

If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC?  If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?

 

0 Kudos
Subscribe
RinaDugang
Comes here often
‎Nov 23 2022 8:25 AM
‎Nov 23 2022 8:25 AM

We have the similar issue. However, we are able to ping and traceroute the DNS server. IP were statically configured, including the HQ DNS server, on the PC behind the MX remote branch. We tried as well to nslookup their internal IP and it is working plus able to access internal applications, but PC cannot communicate to the internet. Using a public DNS, we are still able connect to internet but cannot access their internal applications, though DNS server is reachable using ping and traceroute.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.