Firewall not picking up IP for FQDN

Hello,

Greetings,

You may enable the FQDN-host eviction with the 60 seconds of the interval and validate it further.

You may also refer to the below KBA:

https://support.sophos.com/support/s/article/KB-000041593?language=en_US

If enabling suggested settings does not help, I would suggest raising it to the support as we have one known issue (NC-100716) with it. 

That is interesting. 

I get results saying IP is not in set hostset on the CLI. However, in the GUI it is clearly showing the same IP included. I also have one computer that can connect and passes this rule and another PC that keeps bypassing the rule for that same IP.

Should GUI and CLI have different results here?

The DNS request is always returning the same IPs, so I am not sure why it keeps dropping off.

When I rename the FQDN in the GUI and change it back, this clears all the current records on it and allows both computers to connect again.

I assume if the "set fqdn-host cache-ttl 86400" to extend the TTL may help keep the IP in the set longer.

Hi,

what version of XG software are you currently using and did you upgrade recently? The users should not be using the IP address, but the FQDN.

Ian

we did upgrade around a month ago to 18.5.4 MR-4-Build418

if this matters at all

before resetting/clearing the FQDN in the GUI by renaming it, I found the following behavior in the CLI

doing a nslookup from the CLI on the XG for a domain did not add the returned IP to the hostset.

after resetting/clearing the FQDN in the GUI by renaming it, I found the following behavior in the CLI

doing a nslookup from the CLI on the XG for the same domain did add the returned IP to the hostset.

XG CLI# nslookup au-per-anx-r001.router.teamviewer.com
Domain Name Server#  127.0.0.1
Domain Name       #  au-per-anx-r001.router.teamviewer.com
Resolved Address 1#  144.208.223.164
Total query time  #  54.84 msec
Domain Name       #  au-per-anx-r001.router.teamviewer.com
Resolved Address 1#  2a00:11c0:95:6:144:208:223:164
Total query time  #  55.86 msec

XG CLI# /sbin/ipset test hostset fqdn,714,0,144.208.223.164
HOSTID=714,TYPE=fqdn
        144.208.223.164 is NOT in set hostset.
XG CLI# /sbin/ipset test hostset fqdn,714,0,144.208.223.164
HOSTID=714,TYPE=fqdn
        144.208.223.164 is NOT in set hostset.
XG CLI# /sbin/ipset test hostset fqdn,714,0,144.208.223.165
HOSTID=714,TYPE=fqdn
        144.208.223.165 is in set hostset.
XG CLI# /sbin/ipset test hostset fqdn,714,0,144.208.223.165
HOSTID=714,TYPE=fqdn
        144.208.223.165 is in set hostset.
XG CLI# /sbin/ipset test hostset fqdn,714,0,144.208.223.164
HOSTID=714,TYPE=fqdn
        144.208.223.164 is NOT in set hostset.
XG CLI# nslookup au-per-anx-r001.router.teamviewer.com
Domain Name Server#  127.0.0.1
Domain Name       #  au-per-anx-r001.router.teamviewer.com
Resolved Address 1#  144.208.223.164
Total query time  #  55.11 msec
Domain Name       #  au-per-anx-r001.router.teamviewer.com
Resolved Address 1#  2a00:11c0:95:6:144:208:223:164
Total query time  #  40.82 msec

XG CLI# /sbin/ipset test hostset fqdn,714,0,144.208.223.164
HOSTID=714,TYPE=fqdn
        144.208.223.164 is in set hostset.
XG CLI#

Hello,

Thank you for the update. Like I mentioned in some of the case enabling IP eviction helped and if that did not help. I suggest raising the support case with the logs you have added and mentioned bug ID as (NC-100716).