Forum Discussion
PC_46752
Nimbostratus
NimbostratusDNS issues - Firepass
Hi,
We have DNS issues while our users VPN thru Firepass at some sites/users. Most of our users, after a successful VPN connection receive corporate DNS/DHCP IPs and domain suffix (included in the Firepass). Case1: However, it is observed with users who have an issue that their ISP-DNS settings are not overrided by our internal DNS settings (looked at ipconfig /all)
Case2: In some cases, the DNS looks good... however the user is not able to reach out to the internal systems (ping / nslookup fail).
This problem is mostly seen in China and Europe.... rest of our users in Asia and NA are just fine.
We are doing some research to nail down the issues... but do we have a workaround ?. I'd appreciate if any of you could share your similar experiences in Firepass deployment.
Thank you,
PC
blacksan_10396trying adding the following to the launch application section of the network resources:
ipconfig /flushdns
I know there are issues with international winos version using different path %system% so recommend investigating this.
PC_46752Hi thx... apparently the flushdns doesn't seem to do the magic... if could you elaborate on the %system% please, it would be helpful. Thx again!- PC_46752Hi thx... apparently the flushdns doesn't seem to do the magic... if could you elaborate on the %system% please, it would be helpful. Thx again!
- blacksan_10396Windows uses PATH wild cards %system% normal means c:\windows\system.
Just want to verify your design.
Network Access / Resource / General Tab
Do you have split-tunneling enabled?
Do you have allow access to local networks enabled?
trying playing with these features. I had a issue awhile ago with a bunch of users which have a DNS proxy on the same ip subnet as their local network. With the local networks enabled, it prevented dns from getting any results from our internal dns servers. 
mal_57091Hi JPC,
Do you have the option "Enforce DNS search order" checked in under Network Access -> Resources -> {Name} -> DNS (tab). Once this tab is configured and this option is checked FirePass will try to force this information in precedence over what the Windows client has already got via DHCP, etc.
You probably also want to ensure you running the latest FirePass software + patches as I've seen a few oddities in this functionality in earlier versions.
Cheers,
Mal- PC_46752Thanks mal, blacksan,
'Enforce DNS search order' seems to resolve DNS... however, it challenges the scalability when we have multiple domains listed. The enforce option searches for the listed name servers to resolve a particular hostname... but is there a connection between the domain suffix(es) listed and the name servers listed with the enforce option 'enabled'. If you have more details pls... Thx again! 
Mike_61719Cirrus
I believe you have it confused. Firepass has DNS entries for the "Firepass" connections. Such as Active Directory, web app lookups etc... The Firepass Network Access controls are settings for the laptop device. They override the Firepass settings when a connection is established.
Firepass -> Click on Configuration -> Network configuration -> DNS Tab
This controls the Firepass box settings
Network Access -> Desired Resource Group -> DNS Tab & Enforce DNS Search Order.
Use Split Tunneling for traffic and set these settings. 0.0.0.0/0.0.0.0 for IP range and * for DNS address space.- PC_46752Thanks Mike! (yup, a complex environment here), and finally the enforced DNS search orders seemed to yield results!