Forum Discussion

TheRedBaron's avatar
TheRedBaron
Icon for Nimbostratus rankNimbostratus
Nov 10, 2019

APM VPN Clients - DNS Resolution Failing Intermittently

Hi all,

 

I've run into an issue with my remote users who are getting intermittent connection problems which seems to be related to DNS resolution failing. They're a mix of Windows 7 and Windows 10 clients and there doesn't seem to be a pattern for it, sooner or later connectivity will fail due to DNS. Interestingly, when the VPN is disconnected, this problem still remains and either rebooting the machine or resetting the TCP/IP stack will bring it back to life (resetting the TCP/IP stack tends to work more often than a reboot). The event sometimes causes client machines to completely freeze too.

 

From a client machine earlier, I couldn't perform resolution against either the DNS servers configured in my Network Access profile or the DNS server configured from the local DSL router (which may not be relevant as I believe nslookup doesn't work with the Relay Proxy Service?) However, using Google DNS as the query, DNS resolution worked fine. IP connectivity is not impacted whatsoever, i can still ping the DNS servers configured on the client, and I can still access resources using the IP instead of the fqdn.

 

I recently upgraded my BIG-IP cluster to version 14.1.2 (from 14.0.0.2) but this hasn't seemed to do anything unfortunately, and i've also asked my users to try using the SSL webvpn instead of the Edge Client (which should be a compatible version), but the issue persists.

 

My Network Access policy is configured as (and i'm forcing all traffic through the tunnel):

 

IPv4 Primary Name Server: 10.x.x.x

IPv4 Secondary Name Server: 10.x.x.x

Primary WINS SERVER: 10.x.x.x

DNS Default Domain Suffix: mydomain@company.com

Enforce DNS search order: Enabled

 

I've changed the DNS Relay Proxy Service in windows to automatically recover if it stops/fails (but I don't believe it does stop anyway). I'm also in the process of checking the hotfixes installed against my machine (which never seems to have a problem) and other client machines.

 

Any suggestions on how to fix this would be greatly appreciated!

  • Hello, If you restart the DNS relay proxy does it resolve the issue? Also if you do a tcp dump on the Connectivity Profile you can get the traffic unencrypted and see what traffic is coming over the tunnel:

     

    #tcpdump -ni <connectivity profile name(like /Common/My_connectivity_profile)>:nnn -s0 host <Destination Server IP> or port 53 -vvv -w /shared/tmp/Connectivity_Profile.pcap

     

    https://support.f5.com/csp/article/K411

     

    You can also download and run the Client Troubleshooting Utility and generate a report from the PC:

     

    K12444: Overview of the Client Troubleshooting Utility for Windows (CTU):

    https://support.f5.com/csp/article/K12444

     

    I would look at the FltRedirSrv.txt file for errors (this is the log file for the DNS Relay Proxy). Also take a look at the "F5 Network Access Diagnostic" section so you can see what F5 services are running.

  • Hi Dave,

     

    I haven't thought about restarting the relay proxy service, but i'll certainly give that a try. I'm actually in the process of removing the proxy service from client installs of the edge client to rule that out completely (no feedback from my user base as yet). I'll also run a capture the next time i hear a report.

     

    I've run the troubleshooting tool on a number of users machines, and it hasn't reported a single problem, and I took a look the relay proxy service log file, but didn't see anything.