Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SD-Wan DNS to Domain Controller timing out

B3runnerB3runner Newbie ✭

Just recently I thought to give the SD-Wan feature a try after seeing a few videos online. I decided to choose a remote site that sees very little traffic as a test bed for this feature.

My current setup is as follows:

Site A: main office

fiber and cable from same ISP provider

NSA 2650: 6.5.4.8-89n

Domain controller, File server, print server, phone controller, camera server

Site B: Remote office

cable from ISP provider as Site A

TZ 500: 6.5.4.8-89n

Laptops, printer, phone, cameras


I have two DCs that act as a DNS, DHCP, and DC all rolled up into one. These DCs are on the primary lan (X0) at Site A. The sonicwall at site A has the DCs setup as the primary and secondary DNS servers, and the scope options on the DHCP has the two DCs listed as well.


At Site B, the sonicwall is acting as the DHCP server and is set to use the IP address from the DCs at site A for the sonicwall's DNS, and the subnet's that the sonicwall passes out. It worked out fine with a few hiccups sporadically over time when there was a site to site VPN tunnel between the two sonicwalls. I did run into some problems with applications that were sensitive when it came to delays in the connection. The camera system at site B never wanted to push video back to site A unless I took out the encryption from the phase 2 within the tunnels. This is why I wanted to give SD-Wan a try to see if the sonicwalls could do a better job managing the connection between the two sites over the three different WAN connections that I have.


Currently, I was able to setup the two sonicwalls as follows. I have two VPNs on each of the sonicwalls setup to use AES-128, 2 DH group, and Ikev2 mode. This means I have a connection from site B -> A cable/fiber and site B -> A cable/cable. I then setup two tunnel interfaces with different subnets to connect between the two sonicwalls. site A has Fib:10.40.40.200 Cable:10.40.41.200 and site B has Cable:10.40.40.201 Cable:10.40.41.201. Under the SD-Wan Path Selection I went for the default lowest jitter for testing and am using the Fiber as a backup interface for the path profile. My polices are setup mirroring each other from site A to site B.


Site A: X0 Subnet (10.1.3.0/23) -> site B:X0 subnet (10.1.15.0/24)

Service: Any

(The DC is living on the X0 subnet of site A)


Site B: X0 Subnet (10.1.15.0/24) -> site A:X0 subnet (10.1.3.0/23)

Service: Any

(The DC is living on the X0 subnet of site A)


I'm able to get the cameras and a ping across just fine. I'm even able to access the network shares if I use the IP address within file explorer. When ever I try to use nslookup the DNS requests will time out for anything internal to site A. When ever I look at the SD-Wan connection logs I can see DNS connections being made on the site B sonicwall, but I can not see anything DNS connections from the site A sonicwall. The connections seem to be pushed to the current VPN interface on site B's sonicwall.


So far I've tried, making the DC the main DNS server for the site B sonicwall. It just fails over to the ISP DNS when that happens. I've tried forcing DNS proxy, but the site B sonciwall says it never gets a reply form the DC. One work around I have found was to put static entries within the DNS proxy, but this is not the best solution for if I ever change servers down the road.


I'm wondering if I am missing something or am not understanding the way that the SD-Wan works when it comes to sending DNS over the VPN interfaces?

Category: SSL VPN
Reply
Tagged:

Answers

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    "The sonicwall at site A has the DCs setup as the primary and secondary DNS servers" - Do you mean on the WAN interface or in Network \ DNS? Is there a reason why you are doing this? Same question applies to site B.

    "I have two VPNs on each of the Sonicwalls. This means I have a connection from site B -> A cable/fiber and site B -> A cable/cable. I then setup two tunnel interfaces with different subnets to connect between the two sonicwalls." This sounds very convoluted. Is this some kind of attempt to get SDWAN involved over the VPN tunnels? Reasoning?

    Is failover/load balancing enabled and configured on the Site A Sonicwall? What are your rated speeds on the ISP lines? What does your SDWAN config look like?

  • B3runnerB3runner Newbie ✭

    Sorry for the delay as I was out for a week due to life.

    1. We have the DCS setup as primary DNS (for the LAN/WLAN interfaces) to have the domain PCs be able to resolve internal servers based off their FQDN. The reason we did the same thing at both sites is so that users at site B would be able to resolve the domain controllers for GPO updates, to have access to the file server through FQDN, and to have the camera PC be able to push back video to site A. We have users moving between the two sites, but site B isn't built up enough (isn't used enough) to warrant putting a remote domain controller.
    2. It is just for a fail over in case the fiber connection goes down at site A. I had a similar setup with a VPN tunnel using the cable modem as a fail over within the VPN settings. The main benefit of using SDWan seemed to be that the cameras had an easier time pushing back video. Something about the camera software doesn't like the delay that comes with a normal VPN tunnel, so I found that I had to turn off the encryption on the phase 2 of the tunnel to have the cameras be available for viewing at site A.
    3. Site A is setup for basic failover with the fiber interface setup as the primary and the cable setup as the failover. Also Load balancing is turned on at site A. The speed for the fiber is supposed to be 1 Gbs, but normally I will get anywhere around 100-500 Mbs when looking through the SD-Wan monitoring. The cable modem will give me somewhere around 50-100 Mbs.
    4. I tried to be simple with the SD-Wan polices for testing. On site A I setup a policy that allowed traffic from the LAN zone (where the DCs reside) going to site B's subnet. For the source I used the X0 subnet object (10.3.1.0/23) and the Destination was an address object that had been made with site B's range (10.3.80.0/24). The service was set to any, the path profile was set to the testing profile that I had created, and the metric was 1. I created the reverse of that at site B. I then went ahead and created a second policy for the cameras . The source was set to site A's camera subnet (X0:V400). The destination was set to site B's subnet object (10.3.80.0/24) just like the pervious policy. Service was set to any and the path profile was the testing profile. The metric was set to 2 for the policy. At site B I used the I used the X0 subnet object (10.3.80.0/24) for the source and an address object that I created for site A's camera subnet (10.3.400.0/24).

    This setup allowed me to ping across to the DCs, access the file server (using IP address only), and allowed the cameras to show up at site A. The only problem I then had was that group policy wasn't able to finish due to not resolving the domain.

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭
    1. I understand the reasoning for having your DCs as the DNS for your clients. But why would you have it as the DNS for your firewall? Thus my original question.
    2. Again, why two tunnel interfaces instead of just one with a secondary IPSec gateway? Don't make things more complex than they need to be.
    3. That helps. Is the cable connection the 'final' failover, or just part of the group? Are you doing anything other than physical interface probing?
    4. "At site B I used the I used the X0 subnet object (10.3.80.0/24) for the source and an address object that I created for site A's camera subnet (10.3.400.0/24)." What about for the subnet where the DC's reside (10.3.1.0)? No policy for that?

    What about the 10.40.x.x stuff you originally posted about with regards to the tunnel interfaces?

Sign In or Register to comment.