Diagnostics -> Ping not resolving names but Client PC's do



  • Hi all,

    More an annoyance than anything else.

    I have a site to site VPN setup. Cisco ASA 5510 in London and pfSense 1.2.3 in New York.

    Tunnel is up and running fine. I've included London's internal DNS server in the DNS list on the NYC pfSense so that clients can access internal hosts. This, again, works fine.

    BUT, when I go to Diagnostics -> Ping and try to ping an internal name I get no reply. IP number replies fine.

    Any ideas why this should be? Is it a bug? Like I say, everything is working fine so I don't really want to change anything (if it ain't broke, don't fix it) but just interested why this should be.

    Sparrowlegs.



  • @sparrowlegs:

    BUT, when I go to Diagnostics -> Ping and try to ping an internal name I get no reply. IP number replies fine.

    What output do you get from the failing ping? You haven't provided enough information to distinguish between (say) delay in translating name to IP address and name getting translated to "incorrect" address.

    The shell commands # nslookup name and # dig name can be used to explore the name to IP address translations.



  • Thanks for the swift reply

    This is the output from a test ping:

    Ping output:
    PING ess-dc-001.internal.co.uk (193.227.xxx.xxx) from 192.168.8.1: 56 data bytes

    –- ess-dc-001.internal.co.uk ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    Very odd, as the 193.227 address is located on a secondary site to site VPN tunnel at another location.

    I've done a dig [name] and it returns this:

    $ dig ess-dc-001

    ; <<>> DiG 9.4.3-P2 <<>> ess-dc-001
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39772
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;ess-dc-001. IN A

    ;; Query time: 6 msec
    ;; SERVER: 216.174.124.xxx#53(216.174.124.xxx)
    ;; WHEN: Fri Nov 19 08:33:56 2010
    ;; MSG SIZE  rcvd: 28

    I should have mentioned that I have two DNS entries in the pfSense config, my internal DNS provider in London and the New York ISP DNS as well. If I remove the NYC DNS the internet fails. This number - 216.174.124.xxx - is the NYC DNS. My internal DNS is 192.168.16.x but it doesn't seem to get a look in.



  • You have specified two DN servers. pfSense will ask both servers at the same time for a name to IP address translation and use whatever reply comes back first.

    The NYC DNS has the wrong translation? Then fix it. Or maybe the NYC DNS has the wrong translation for your site? Then "fix" it with a local override. If you are using the pfSense DNS forwarder then add an override entry (Web GUI:  Services -> DNS Forwarder), otherwise, if you really need to use the NYC DNS then you might also need to figure out how to a the "correct" response before the NYC response comes in.

    Maybe you need to use a duplicate set of names to translate to "internal" IP addresses.


  • Rebel Alliance Developer Netgate

    If the DNS query from pfSense is supposed to go across the IPsec tunnel, you also need to be aware of this:

    http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F


Log in to reply