Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Static and Dynamic NAT breaks DNS resolution

1 view
Skip to first unread message

mnm_man8...@nospam.hotmail.com

unread,
Oct 21, 2003, 7:52:17 PM10/21/03
to
Hi all...

ran into an interesting issue last night and wanted to poll the forum for
suggestions.

My client has been experiencing DNS resolution issues for the last week -
mostly a case of GWIA not being able to resolve MX records. During the
course of the troubleshooting, I discovered that the server itself was
intermittently unable to resolve DNS when doing pings from the console.
We went thru and unloaded filters, unloaded BorderManager, etc and the
only way we were able to reliably get name resolution was to eliminate
Static & Dynamic NAT and go to Dynamic only. The server in question is a
Netware 5.1 server with Bordermanager 3.6.

A few questions:

a) I vaguely remember there being issues with having Static and Dynamic
enabled simultaneously - is this still the case?

b) any additional suggestions on troubleshooting the issue?

Thx in advance...

Craig Johnson

unread,
Oct 22, 2003, 12:15:20 AM10/22/03
to
In article <REjlb.6414$ZE4....@prv-forum2.provo.novell.com>, wrote:
> a) I vaguely remember there being issues with having Static and Dynamic
> enabled simultaneously - is this still the case?

I cannot remember any such issue ever coming up with BMgr.


>
> b) any additional suggestions on troubleshooting the issue?

What is being static NAT'd? If the NAT'd host is critical to your DNS
configuration, and the public secondary IP address is not present, that
server will fail NAT-based communications. You might also be seeing some
sort of intermittent stateful filter exception failure regarding DNS
exceptions. (Be sure you are patched per tip #1 at the URL below).

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

mnm_man8...@nospam.hotmail.com

unread,
Nov 11, 2003, 4:07:53 PM11/11/03
to
Craig,

thanks for the response and I apologize for the delay in getting back to
you. Life gets in the way ;-)

See my responses below...

> In article <REjlb.6414$ZE4....@prv-forum2.provo.novell.com>, wrote:
> > a) I vaguely remember there being issues with having Static and
Dynamic
> > enabled simultaneously - is this still the case?
>
> I cannot remember any such issue ever coming up with BMgr.

it's been quite awhile and I may be remembering an older version.

> >
> > b) any additional suggestions on troubleshooting the issue?
>
> What is being static NAT'd? If the NAT'd host is critical to your DNS
> configuration, and the public secondary IP address is not present, that
> server will fail NAT-based communications. You might also be seeing
some
> sort of intermittent stateful filter exception failure regarding DNS
> exceptions. (Be sure you are patched per tip #1 at the URL below).
>

The device being Nat'd to is a UNIX server and only needs to be for remote
administration via SSH. What we're seeing is the following:

NAT set to "Dynamic Only" w/NAT Dynamic mode to pass thru=ON - traffic
flows normally
NAT set to "Static and Dynamic" - if the Bordermanager server comes up
first traffic appears to flow normally even with Filters up- if the UNIX
server is up when the BorderManager server starts NAT'ing we see DNS
resolution failures - most notably in GWIA (450 MX errors) - unless the
filters are down. Unfortunately, I don't know the configuration on the
UNIX server and whether it's got a DNS server on it, etc. Joys of
being "the Novell consultant". I do know that the BM server is NOT using
the UNIX box for DNS resolution so I don't understand why that's affecting
the outcome.

At this point, I know the BM server is behind on patches but the client is
hesitant to proceed without a firm quote on hours. In addition, I'm
hesitant to mess with a "working" solution. The UNIX admin uses SSH VERY
infrequently and, IMHO, it's not worth messing with.

Any further suggestions you might have would be much appreciated.

Mike McMahon, CNE

mnm_man8...@nospam.hotmail.com

unread,
Nov 13, 2003, 4:05:13 PM11/13/03
to
> In article <Jccsb.117$j07...@prv-forum2.provo.novell.com>, wrote:
> > Any further suggestions you might have would be much appreciated.
> >
> It sounds to me like static NAT may be misconfigured. Be sure you are
> not NATing a primary address of the BMgr server to something else.
> (Unless you are NATing the private IP address to itself, for a VPN
> issue). Static NAT also requires secondary IP addresses, and if they
> are not there (DISPLAY SECONDARY IPADDRESS), then your NAT'd hosts will
> fail with outbound traffic that worked previously with dynamic NAT.
>

Craig -

I suppose I should have given you more information - here's the
configuration:

BorderManager Public IP: 64.110.xxx.10
BM Private IP: 192.168.0.1
BM Secondary IP (external) for UNIX server: 64.110.xxx.11
UNIX Server internal IP: 192.168.0.250

If the BorderManager server is set for Dynamic Only, the GWIA nlm (running
on the BorderManager server)is able to resolve MX records properly. If
it's set to Static and Dynamic (with a static entry for the UNIX server
64.110.xxx.11 -> 192.168.0.250), the GWIA nlm will generate 450 MX
errors. In addition, if the Static NAT entry is present, I'm unable to
resolve DNS for pings, etc (from the Bordermanager server console) but
things like the Proxy server function properly.


> Have a look at the URL below, if you think some books on BMgr may be
> useful to you.

Craig Johnson

unread,
Nov 15, 2003, 1:31:47 PM11/15/03
to
You are sure the secondary address is there?

Have a look at tip #48 at the URL below.

0 new messages