SD-Wan DNS to Domain Controller timing out
Just recently I thought to give the SD-Wan feature a try after seeing a few videos online. I decided to choose a remote site that sees very little traffic as a test bed for this feature.
My current setup is as follows:
Site A: main office
fiber and cable from same ISP provider
NSA 2650: 126.96.36.199-89n
Domain controller, File server, print server, phone controller, camera server
Site B: Remote office
cable from ISP provider as Site A
TZ 500: 188.8.131.52-89n
Laptops, printer, phone, cameras
I have two DCs that act as a DNS, DHCP, and DC all rolled up into one. These DCs are on the primary lan (X0) at Site A. The sonicwall at site A has the DCs setup as the primary and secondary DNS servers, and the scope options on the DHCP has the two DCs listed as well.
At Site B, the sonicwall is acting as the DHCP server and is set to use the IP address from the DCs at site A for the sonicwall's DNS, and the subnet's that the sonicwall passes out. It worked out fine with a few hiccups sporadically over time when there was a site to site VPN tunnel between the two sonicwalls. I did run into some problems with applications that were sensitive when it came to delays in the connection. The camera system at site B never wanted to push video back to site A unless I took out the encryption from the phase 2 within the tunnels. This is why I wanted to give SD-Wan a try to see if the sonicwalls could do a better job managing the connection between the two sites over the three different WAN connections that I have.
Currently, I was able to setup the two sonicwalls as follows. I have two VPNs on each of the sonicwalls setup to use AES-128, 2 DH group, and Ikev2 mode. This means I have a connection from site B -> A cable/fiber and site B -> A cable/cable. I then setup two tunnel interfaces with different subnets to connect between the two sonicwalls. site A has Fib:10.40.40.200 Cable:10.40.41.200 and site B has Cable:10.40.40.201 Cable:10.40.41.201. Under the SD-Wan Path Selection I went for the default lowest jitter for testing and am using the Fiber as a backup interface for the path profile. My polices are setup mirroring each other from site A to site B.
Site A: X0 Subnet (10.1.3.0/23) -> site B:X0 subnet (10.1.15.0/24)
(The DC is living on the X0 subnet of site A)
Site B: X0 Subnet (10.1.15.0/24) -> site A:X0 subnet (10.1.3.0/23)
(The DC is living on the X0 subnet of site A)
I'm able to get the cameras and a ping across just fine. I'm even able to access the network shares if I use the IP address within file explorer. When ever I try to use nslookup the DNS requests will time out for anything internal to site A. When ever I look at the SD-Wan connection logs I can see DNS connections being made on the site B sonicwall, but I can not see anything DNS connections from the site A sonicwall. The connections seem to be pushed to the current VPN interface on site B's sonicwall.
So far I've tried, making the DC the main DNS server for the site B sonicwall. It just fails over to the ISP DNS when that happens. I've tried forcing DNS proxy, but the site B sonciwall says it never gets a reply form the DC. One work around I have found was to put static entries within the DNS proxy, but this is not the best solution for if I ever change servers down the road.
I'm wondering if I am missing something or am not understanding the way that the SD-Wan works when it comes to sending DNS over the VPN interfaces?
"The sonicwall at site A has the DCs setup as the primary and secondary DNS servers" - Do you mean on the WAN interface or in Network \ DNS? Is there a reason why you are doing this? Same question applies to site B.
"I have two VPNs on each of the Sonicwalls. This means I have a connection from site B -> A cable/fiber and site B -> A cable/cable. I then setup two tunnel interfaces with different subnets to connect between the two sonicwalls." This sounds very convoluted. Is this some kind of attempt to get SDWAN involved over the VPN tunnels? Reasoning?
Is failover/load balancing enabled and configured on the Site A Sonicwall? What are your rated speeds on the ISP lines? What does your SDWAN config look like?
Sorry for the delay as I was out for a week due to life.
This setup allowed me to ping across to the DCs, access the file server (using IP address only), and allowed the cameras to show up at site A. The only problem I then had was that group policy wasn't able to finish due to not resolving the domain.
What about the 10.40.x.x stuff you originally posted about with regards to the tunnel interfaces?