BO VPN works fine except for DNS queries in one direction only

Hello all,
we've succesfully created a BO IPSEC VPN tunnel between our M370 and a remote pfSense. Everything works fine and it works so well we use it in production without any issues.

Site A: 192.168.2.0/24 with Firebox M370
Site B: 192.168.3.0/24 with pfSense

The only thing I'm banging my head into since I've discovered it is that the queries from a workstation in site B (e.g. 192.168.3.3) to a DNS server in site A (192.168.2.3) just go timeout.

I've used a mix of tools to understand the following:
1. the DNS packets are correctly received from pfsense
2. pfSense allow the packets in its firewall rules
3. the packets are routed through the VPN
4. using tcpdump on the Firebox I see the packets being correctly received:

https://imgur.com/PP3ZvkQ

Here comes the funny: even if (in the Firebox) I've created a very raw policy on top of all the others to allow the DNS protocol from ANY to ANY and I've enable the logging for that, I can't see any trace of the packets in the Traffic Monitor. I've monitored the packets on the DNS server using Wireshark and there's no trace of those incoming packets. I've disabled the internal Windows firewall.

It looks like the dns packets just die in the Firebox, but if they were marked as unhandled I should see the in the Traffic Monitor, shouldn't I?

Comments

  • As always, what XTM version are you running?

    What is between the firewall and the DNS server?
    Could there be an ACL on it which is denying packets from an "unknown" subnet?
    Can you tracert to 192.168.3.3 from the DNS server?

  • Hello Bruce, sorry I missed the XTM version! It's a firebox M370 w/ Fireware 12.5.4.B622768

    What is between the firewall and the DNS server?
    "nothing". They're both in the same 192.168.2.0/24 network. It may be useful to know that the LAN is bridged:
    https://imgur.com/mytP1Rz

    Could there be an ACL on it which is denying packets from an "unknown" subnet?
    Not that I'm aware of. Where should I check? Shouldn't I see any denied packet in the traffic monitor?

    Can you tracert to 192.168.3.3 from the DNS server?
    I can indeed trace 192.168.3.3 from 192.168.2.3, I can even make DNS queries from 192.168.3.3 to 192.168.2.3 if I install the DNS service on that (but not all the way around)

    Thank you for your help Bruce

    Davide

  • edited July 29

    No further thoughts.
    Time for a support incident.

    A switch could, and most likely is, between your firewall port and the DNS server.
    So do check that if it is a smart switch.
    If it isn't smart, try a power off/on - just to make sure that somehow it isn't involved.

Sign In to comment.