NAT Strangeness
-
I am using a pfsense virtual appliance to isolate a test environment from the production network. To allow hosts on the prod network to RDP to the isolated servers I set up VIPs for them and NAT rules which allow RDP (TCP 3389) sent to the VIPs to get to the isolated servers (1 VIP per server).
One server (server A) in the isolated network uses a SQL server (server B) also in the isolated network. I can set up an ODBC connection from server A to server B if I use the FQDN. However if I use the short name of server B the ODBC connection fails.
What I have done:
1. Ensured SPNs are configured for FQDN and short name
2. Validated name resolution via DNS is working properly
3. Traced the traffic with Wireshark during the failureWhen I trace from server A while testing the ODBC connection (set up with shortname) I see that server A is trying to connect to server B's VIP and there is never a DNS query (even though I flushed the client DNS cache)!?! If I test the ODBC connection while using FQDN I see a DNS query, a good response and a normal session setup with the internal IP address of server B (normal behavior). If I remove the default gateway of server A (which points to the pfsense box) then repro the test with the shortname, the ODBC test still fails but server A does not try the VIP. It is as if the pfsense box is somehow supplying the VIP of server B to server A.
Has anyone ever seen anything like this and/or do you have any thoughts as to how to troubleshoot this?
-
Are you doing a full traffic capture?
It could be doing some other kind of name query (like NBNS) and skipping DNS.
-
Are you doing a full traffic capture?
It could be doing some other kind of name query (like NBNS) and skipping DNS.
Thanks for the reply. I just found the issue this evening…there was a registry entry on the server which pointed to the VIP of the SQL server...not sure where it came from but once I fixed that all was well. Thanks again.
Steve
