Reset Search
 

 

Article

KB43736 - Unable to access IPV4 resources with error "Cannot resolve DNS" or "Unable to resolve hostname" via Core access after upgrading to 8.3

« Go Back

Information

 
Last Modified Date4/13/2018 1:51 PM
Synopsis
This article describes an issue where IPV4 resource accessed via core access fails after an upgrade to 8.3R1 due to DNS resolution failure.The affected access mechanisms are rewrite, PTP and Authorization only access.Under Network Overview > Network Settings >Preferred DNS Response is set as IPV4.
Problem or Goal
End users cannot access IPV4 internal resources via core access due to DNS resolution failure.
Cause
This issue occurs when PCS does an IPv6 query for the resource host name and an incorrect response is received from the DNS server for IPv6 record query.

Post 8.3, a design change was implemented to support IPv6 via Core access. As per the IPv6 design standards, the client will do an AAAA Resource Record (RR) query ( for IPv6 address) along with an A RR ( for IPv4) to an authoritative DNS server. If the DNS server does not have an AAAA RR for a host name, it is expected to return a response code of 0 ( indicating no error ) and with an empty answer section. Such a response indicates that there is at least one RR of a different type than AAAA for the queried name, and the PCS can then look for A RRs, in other words to fallback to IPv4 response. In the event of any other response, PCS will retry the query multiple times until a failure is determined and resource access fails.

7551    21.635956    x.x.x.x      y.y.y.y    DNS    74    Standard query 0x5e60 A test.pulsesecurelab.com
7552    21.638325    y.y.y.y       x.x.x.x   DNS    90    Standard query response 0x5e60 A test.pulsesecurelab.com A z.z.z.z 

7553    21.638381    x.x.x.x    y.y.y.y    DNS    74    Standard query 0xf558 AAAA test.pulsesecurelab.com
7554    21.640771    y.y.y.y    x.x.x.x    DNS    74  
 Standard query response 0xf558 Server failure AAAA test.pulsesecurelab.com

We will see an error message in user access or event logs as below :

Reason Cannot resolve DNS
Unable to resolve hostname

For active sync access :

WebRequest Failed : Host: mail.pulsesecurelab.com, Request: /Microsoft-Server-ActiveSync?User=&DeviceId=&DeviceType=iPhone&Cmd=Sync Reason Cannot resolve DNS
 
Solution
To resolve this problem, please upgrade to Pulse Connect Secure 8.3R6 and above.

As a workaround until we have a fix in code, we can configure the DNS server to respond with a Response code of 0 for same.We can also add a host Entry under System > Network > Hosts on PCS admin UI if the resource FQDN resolves to a single IP.

 
Related Links
https://tools.ietf.org/html/rfc4074
Attachment 1 
Created ByRohit Shetty

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255