12-02-2017 01:03 AM - edited 03-05-2019 09:34 AM
Hiya,
So we have 2 physical sites (Datacenter and DR site), about 40 miles apart with a L2 link connecting the two together. Both sites have a 200/200mbps ISP link and we have configured our firewalls to have /30 ranges connected to both routers so that under normal circumstances internet traffic routes out the local router, but if the rotuer is unavailable it will traverse the L2 and out the other router.
When using the primary routes, DNS works fine but when we do a failover we lose 5 pings then connectivity is restored but external DNS resolution on our Active Directory domain controllers' DNS forwarders fails. We are using BT's main DNS servers and this is configured at both sites, so it's not as though the servers aren't available for some reason via the other site's ISP connection. Pings and traceroutes by IP work fine, it's just DNS, and of course without DNS the failover is almost useless!
When i look at the logs on the firewall during the failover, i can see DNS traffic going out to these servers so it doesn't look like a firewall problem.
Any ideas?
Thanks
Chris
12-02-2017 06:38 AM
Ignore this - we had a firewall policy that i hadn't spotted that was configured to use the outbound interface rather than one of our /27 for NAT so when it failed over the traffic was NATing using an Ip that didnt exist on the failover router and so was being dropped at the router not the firewall. Added a pool and all is working nicely.
12-02-2017 06:55 AM - edited 12-02-2017 06:56 AM
Hello,
can both ADs ping each other by name ? This might be AD failover/replication related...
P.S.: Just saw that you got it resolved, never mind my post...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide