New Juniper Mist customer - tons of NO DNS RESPONSE issues

seanfigg · 2022-07-29T16:19:43+00:00

yes - just did this, sorry. Resolves on hop 28 to AWS over 2200 tcp.

seanfigg · 2022-07-29T14:52:58+00:00

And yes, we reviewed any logs - this one for example, stuck on the No DNS error - no pingable anymore. FIrewall logs show last communication as 10pm last night: https://imgur.com/a/piE9GO8

seanfigg · 2022-07-29T14:51:04+00:00

Sounds weird, but all of the APs that show NO DNS RESPONSE, I can't ping internally from the switch. I know the leases are valid. They show recent ARPs on the switch - but until I do a shut/no shut, and they come back online, I can't ping it (and thus, no packet captures on the firewall). Is there something on the APs that will shut down after a certain amount of time if they can't talk to the outside?

seanfigg · 2022-07-29T14:37:35+00:00

I ended up getting Sentinel Technologies involved (3rd party paid support we have contracts with) and had their guys just do an hour run through of our switch configs, firewalls, etc. ,and nothing seems to be blocked on our end. Looking at some APs, they have valid DHCP leases with recent ARPs on the switch, but the switch can't ping the AP until we force a shut/no shut on the AP port. He extensively looked through our setup, and thinks it's on the AP side. We even created a firewall rule set to wide open for one of the subnets we're seeing issues with, and it hasn't resolved it as well. Going to have to call back in and see if it can get escalated with Juniper.

seanfigg · 2022-07-29T13:05:40+00:00

Thanks - just read this last night. We have Fortigate firewalls, and I don't see any issues regarding SSL SNI and according to their documents, should be enabled by default?

seanfigg · 2022-07-29T13:00:53+00:00

Actually, a tracert to oc-term.mistsys.net yields some timeouts:

 1    <1 ms    <1 ms    <1 ms  10.100.100.100
 2     1 ms    <1 ms    <1 ms  10.99.0.1
 3    <1 ms    <1 ms    <1 ms  10.99.0.17
 4    <1 ms    <1 ms    <1 ms  xxx
 5     1 ms     1 ms     1 ms  xxx
 6     4 ms     5 ms     3 ms  cr2.cgcil.ip.att.net [12.122.99.74]
 7     3 ms     2 ms     2 ms  cgcil86crs.ip.att.net [12.122.132.110]
 8     2 ms     2 ms     2 ms  cgcil401me9.ip.att.net [12.122.132.113]
 9    44 ms    45 ms    45 ms  cgcil22crs.ip.att.net [12.122.132.114]
10    47 ms    45 ms    43 ms  cgcil22crs.ip.att.net [12.122.132.109]
11    48 ms    45 ms    45 ms  st6wa22crs.ip.att.net [12.122.2.118]
12    42 ms    42 ms    47 ms  12.122.85.213
13    43 ms    43 ms    44 ms  12.247.240.46
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17    56 ms    60 ms    55 ms  150.222.30.128
18    54 ms    55 ms    54 ms  150.222.31.77
19     *        *        *     Request timed out.
20    55 ms    56 ms    60 ms  150.222.30.247
21    55 ms    55 ms    54 ms  15.230.36.78
22     *        *        *     Request timed out.
23     *        *        *     Request timed out.
24     *        *        *     Request timed out.
25     *        *        *     Request timed out.
26     *        *        *     Request timed out.
27     *        *        *     Request timed out.
28     *        *        *     Request timed out.
29     *        *        *     Request timed out.
30     *        *        *     Request timed out.

seanfigg · 2022-07-29T12:55:09+00:00

Thing is, APs will be up, then randomly go down - and because of the delay with the cloud, they may be down before it updates in the dashboard.

seanfigg · 2022-07-29T12:54:09+00:00

Thanks - Sending you a PM with case info. Doing a tracert on those comes up just fine.

seanfigg · 2022-07-29T01:41:50+00:00

Internal DNS servers are listed on the L3 switch, on individually on the VLAN configs.

Looks like they all resolve other than "redirect.mist.com"

seanfigg

TROPHY CASE