cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PC behind Meraki MX84 could not communicate with DNS servers on other side of VPN behind CheckPoint

SOLVED
Highlighted
Getting noticed

PC behind Meraki MX84 could not communicate with DNS servers on other side of VPN behind CheckPoint

We had an issue yesterday where a PC at a remote site could not communicate with the DNS servers at our HQ over the VPN tunnel we established between the MX84 at the Remote Site and the CheckPoint Firewall at HQ.  The MX84 is the DHCP server and we manually entered the IP Addresses for the DNS servers to assign to the clients.  All clients except for this one worked.  I ended up resolving the issue by assigning the workstation a different IP Address in the Workstation VLAN through a Reservation on the MX84 DHCP Settings.  Then, it worked just like the others.  Could the issue with the original IP communications not being sent across the VPN tunnel be an incomplete arp entry or something else?  I've only seen this a handful of times in my 20+ year career, but never really resolved it other than changing the IP Address.  We rebooted the MX84, but that didn't help either.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Getting noticed

Re: PC behind Meraki MX84 could not communicate with DNS servers on other side of VPN behind CheckPo

We weren't able to ping the DNS servers or run an nslookup against them.  After further investigating, the CheckPoint firewall wasn't seeing communications from that IP coming over the tunnel so the rules dropped that.  Also, there was a high number of dns queries coming in so it got flagged by the checkpoint as suspicious activity.  The CheckPoint sees the new IP of the laptop as coming over the tunnel so it's being allowed.

 

 


@mat1458 wrote:

If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC?  If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?


 

View solution in original post

2 REPLIES 2
Highlighted
Getting noticed

Re: PC behind Meraki MX84 could not communicate with DNS servers on other side of VPN behind CheckPo

If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC?  If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?

Highlighted
Getting noticed

Re: PC behind Meraki MX84 could not communicate with DNS servers on other side of VPN behind CheckPo

We weren't able to ping the DNS servers or run an nslookup against them.  After further investigating, the CheckPoint firewall wasn't seeing communications from that IP coming over the tunnel so the rules dropped that.  Also, there was a high number of dns queries coming in so it got flagged by the checkpoint as suspicious activity.  The CheckPoint sees the new IP of the laptop as coming over the tunnel so it's being allowed.

 

 


@mat1458 wrote:

If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC?  If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?


 

View solution in original post

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.