Resolved – Advisory: Sophos DDNS Service

We are currently in the process of migrating the Sophos DDNS service to a more robust and scalable infrastructure but in the interim, we are aware there are issues related to service accessibility and reliability. If you are experiencing issues or have mission critical applications dependent on DDNS, in the interim, we recommend that you consider a third-party DDNS provider.

Intermittent communication issues may be observed for systems that use the Sophos Dynamic DNS service. Changes to the IP of the XG may not be updated for the Dynamic DNS entry. In addition, adding a new host may take several attempts before a successful registration.

The new infrastructure has been migrated and all zones are now working off of this new platform. No further updates since this issue is considered resolved.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Advisory: Sophos XG Firewall – Dynamic DNS myfirewall.co service unavailable

Advisory: Sophos is investigating an issue related to the dynamic DNS myfirewall.co service failing for users

Users may experience issues adding, deleting, or updating Sophos Dynamic DNS entries.

Applies to the following Sophos product(s) and version(s)

Sophos Firewall

Communication issues may be caused for systems that use the Sophos Dynamic DNS service. Changes to the IP of the XG may not be updated for the Dynamic DNS entry.

This issue is now resolved

Please check back on this article for the latest updates

This article will be updated when information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

How to Use Port Control Protocol in NetScaler?

This article describes how to use Port Control Protocol in NetScaler.

Background

In today’s networks NAT device plays an important role providing IPv4 preservation, IPv6 migration, and security and thus the chances of packet translation happening in an end-to-end communication is quite high. In order to have control over these NAT devices, Port Control Protocol was developed (RFC – 6887). Port Control Protocol commonly referred as PCP enables applications and equipment to read/write explicit mappings between an external IP address, protocol and port, and an internal IP address, protocol and port. These explicit mappings allows inbound communication to reach the hosts behind a NAT or firewall.

Why PCP?

With DHCP the internal IP address varies often and thus the external IP address/port also changes frequently. While hosting a service on a server behind firewall or NAT, this frequently changing external IP address/port posts a challenge. Below are the list of problems faced commonly in a NAT environment.

Problems

  • Hosting of web services in private network lead to Dynamic DNS issues (change in NAT IP during reallocation of IP)
  • Need to Monitor/Access Home Gateway (HG) devices from outside/office
    • No control over NAT and firewall
    • Have to raise a request to service provider for static mapping
  • Internet of Things (Rapid growth of HG)
    • Keep alive messages takes bandwidth consumption
    • Battery consumption on mobile devices

Solution

PCP comes to rescue here by providing the below mentioned support to overcome the above mentioned problems.

  • PCP clients can get updated mappings from NAT device using PCP
  • Give controls to applications/devices at HG
    • Whenever it wants to act as service, it can request its upstream devices
    • Applications decide when the session at upstream devices should terminate

Primary Uses cases for DDNS with PCP

PCP Communication

Port Control Protocol (PCP) keeps device (PCP client) and NAT/CGN server (PCP server) dynamically aware about the change in both internal and external IP address and port number. NetScaler should be able to receive PCP request from any client and provide appropriate response for them.

User-added image

PCP works in a client server model over UDP and uses various OPCODEs are used for performing PCP operations. In NetScaler PCP server can be used with NAT44, NAT64 and DS-Lite.

Related:

How to Configure the GSLB Static Proximity Feature in a NetScaler Appliance

This article contains information about configuring and troubleshooting the static Global Server Load Balancing (GSLB) feature on a NetScaler appliance.

Background

GSLB

A NetScaler appliance with the GSLB feature directs DNS requests to the GSLB site with the best performance. When a client sends a DNS request, the appliance identifies the site with the best performance and sends the IP address of the site to the client. The appliance decides by using the Metric Exchange Protocol (MEP), GSLB policies, and GSLB methods supported by the appliance. The GSLB methods are algorithms that control how the appliance load balances the client requests across the distributed data centers.

You can configure the GSLB feature based on the round trip time (RTT), static proximity, or a combination of the two.

Static Proximity

The static proximity feature uses an IP address-based static location database. This database contains GeoIP address and the information of the location to which the site belongs. When a user visits the website, GeoIP address can determine the information such as country, region, city, and longitude/latitude. The database used to implement the static proximity method often contains information of all the GSLB sites. The appliance uses this database to determine the proximity between the Local DNS (LDNS) of the client and the GSLB sites. The appliance sends the IP address of a site that is closest to the client.

Note: In the static GSLB database the locations consist of an IP address range and up to six qualifiers for this range.

In order to use static proximity feature you have to upload the database on the appliance. The custom database is stored in ns.conf, and a static third party database or the database of the appliance is stored in the /var/netscaler/locdb directory, by default.

Static Proximity When using a NetScaler Appliance

A client sends a request for a domain to access an application by using resources such as internet, email, or VPN. The client requests for www.example.com by using the browser. The information for this website is stored at two different data centers, Site A and Site B. If the IP address for the domain is not found in the local cache, then the browser sends a request to the client LDNS server.

If the LDNS server does not have an IP address for a requested domain, then it sends a query to a NetScaler appliance that is configured as the authoritative DNS server for the domain.

When the appliance receives the request from the client LDNS, the appliance uses the static database to determine if the IP address and the location information of the client exists.

The appliance then sends the IP address of the nearest data center to the client and the client browser displays the web page.

Related:

How to Configure GSLB Setup for Internal Users From GUI

This article contains information about how to configure a GSLB setup for internal users using the same host name.

In some scenarios, the administrator requires that all external users (coming through the Internet) must go through the Access Gateway , whereas all the internal users within the Domain can just logon into Web Interface or get an Internal IP address.

NOTE :

It is not necessary to create an explicit external view for external users as anything that passes through the DNS policy goes through the regular GSLB load balancing policy or method.

Requirements

A NetScaler appliance installed with NetScaler software release 8.0 or later configured with GSLB basic setup. You must configure the following in the basic GSLB setup:

  • One remote and/or local GSLB virtual server

  • Two GSLB services, one local and the other remote service, or both local services

  • The services are bound to the domain using the virtual server

Background

To implement this solution DNS views are used.

The policies associated with the DNS Views can be configured to provide different views or IP addresses depending on various network attributes, such as Interface, IP (LDNS), and PORT.

What are the steps to change the IP address on Impact 7.1 system?

The current hardware is end of service life and all applications are
reinstalled on new servers. We will be keeping the old IP addresses.

Swapping the IP addresses of the old servers with new servers
and updating the DNS entries for new server’s .Need detailed steps to swap/change the IP addresses of Impact 7.1 (core and GUI) servers.

Related:

Event ID 11166 — DNS Client Registration

Event ID 11166 — DNS Client Registration

Updated: November 13, 2007

Applies To: Windows Server 2008

A computer that is configured to use Dynamic Host Configuration Protocol (DHCP) to obtain IP addresses can automatically register its IP address and Domain Name System (DNS) name with the DNS server that is authoritative for the zone that hosts its domain. This eliminates the need for an administrator to manage host (A or AAAA) resource records for client computers. Problems with automatic registration do not prevent a computer from accessing the network, but they can prevent other network computers from being able to locate the computer.

Event Details

Product: Windows Operating System
ID: 11166
Source: DnsApi
Version: 6.0
Symbolic Name: EVENT_DNSAPI_REGISTRATION_FAILED_SECURITY_PRIMARY_DN
Message: The system failed to register host (A) resource records for the network adapter with these settings:Adapter Name: %1Host Name: %2Primary Domain Suffix: %3DNS server list: %4Sent update to server: %5IP Address(es): %6The system could not register these resource records because of a security-related problem. Possible causes are that your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.You can retry DNS registration of the network adapter and its settings by typing “ipconfig /registerdns” at a command prompt. If the problems persists, contact your network administrator.

Resolve
Retry DNS registration

When your computer is assigned a new network address automatically, it attempts to notify the DNS server of the change of address. A problem occurred when your computer made this attempt. Often, this is a transient condition, although it can indicate a problem with the DNS server. This condition rarely causes problems for your computer unless you share resources such as folders or printers.

Although it is not necessary, you can direct your computer to try the DNS registration again.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To register your computer’s address with the DNS server:

  1. On the DNS client computer, open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. At the command prompt, type ipconfig /registerdns, and then press ENTER.

If the problem persists, contact your network administrator and provide the information in the event message. If you are a network administrator, see Troubleshooting Dynamic Updates (http://go.microsoft.com/fwlink/?LinkId=103842) for information about troubleshooting DNS registration.

Verify

Use the ipconfig /registerdns command to register the computer’s network name and address with a DNS server and then check the event log for errors.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To register the computer’s network name and address with a DNS server:

  1. On the DNS client, open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. Type the following command, and then press ENTER:

    ipconfig /registerdns

Wait 15 minutes, and then check the event log to verify that a DNSapi event with an ID in the range 11150 through 11167 was not logged after you ran the command.

Related Management Information

DNS Client Registration

DNS Infrastructure

Related:

Event ID 4017 — DNS Server Active Directory Integration

Event ID 4017 — DNS Server Active Directory Integration

Updated: November 13, 2007

Applies To: Windows Server 2008

You can configure the DNS Server service to use Active Directory Domain Services (AD DS) to store zone data. This makes it possible for the DNS server to rely on directory replication, which enhances security, reliability, and ease of administration.

Event Details

Product: Windows Operating System
ID: 4017
Source: Microsoft-Windows-DNS-Server-Service
Version: 6.0
Symbolic Name: DNS_EVENT_DS_DNSADMINS_ERROR
Message: The DNS server was unable to load or create the DnsAdmins group. The most likely cause is that the Group Name has been changed. The DNS server will continue but for full functionality the DnsAdmins group should be repaired. The event data contains the error.

Resolve
Correct the group name

The DNS Server service depends on the DnsAdmins group being named DnsAdmins. It is likely that the name of this group has changed, which prevents the DNS Server service from accessing the group. Determine the new name that was given the the group, and then give it the correct name.

To perform this procedure, you must have membership in Domain admins, or you must have been delegated the appropriate authority.

To rename a group:

  1. On a domain controller, start Active Directory Users and Computers. To start Active Directory Users and Computers, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand the domain, and then click Users.
  3. In the right pane, right-click the DNS administrators group, click Rename, and then type DnsAdmins.
  4. Press ENTER, and then, in the Rename Group dialog box, click OK.

Verify

Ensure that Event IDs 4523 and 4524 are being logged and that no events in the range 4000 to 4019 appear in the Domain Name System (DNS) event log.

Related Management Information

DNS Server Active Directory Integration

DNS Infrastructure

Related:

Static IP address when we call Watson API

The customer is developing their application and want to call Watson API.
Their server use Firewall . so to access it, they want STATIC IP address .
is that possible to call Watson API ? I think URL based call and it is dynamic IP.
Please help me to clarify it.

Related:

Event ID 1578 — Network Name Resource Availability

Event ID 1578 — Network Name Resource Availability

Updated: November 25, 2009

Applies To: Windows Server 2008 R2

In a cluster, a Network Name resource can be important because other resources depend on it. A Network Name resource can come online only if it is configured correctly, and is supported correctly by available networks and network configurations.

Event Details

Product: Windows Operating System
ID: 1578
Source: Microsoft-Windows-FailoverClustering
Version: 6.1
Symbolic Name: RES_NETNAME_DNS_TEST_FOR_DYNAMIC_UPDATE_FAILED
Message: Cluster network name resource ‘%1’ failed to register dynamic updates for name ‘%2’ over adapter ‘%4’. The DNS server may not be configured to accept dynamic updates. The error code was ‘%3’. Please contact your DNS server administrator to verify that the DNS server is available and configured for dynamic updates.Alternatively, you can disable dynamic DNS updates by unchecking the ‘Register this connection’s addresses in DNS’ setting in the advanced TCP/IP settings for adapter ‘%4’ under the DNS tab.

Resolve
Check DNS configuration

The Network Name resource could not register one or more Domain Name System (DNS) names. If you do not currently have Event Viewer open, see “Opening Event Viewer and viewing events related to failover clustering.” If the event contains an error code that you have not yet looked up, see “Finding more information about error codes that some event messages contain.” After reviewing event messages, check the following:

  • Check that on the DNS server, the record for the Network Name resource still exists. If the record was accidentally deleted, or was scavenged by the DNS server, create it again, or arrange to have a network administrator create it.
  • Ensure that a valid, accessible DNS server has been specified for the indicated network adapter or adapters in the cluster.
  • Check the system event log for Netlogon or DNS events that occurred near the time of the failover cluster event. Troubleshooting these events might solve the problem that prevented the clustered Network Name resource from registering the DNS name.

To perform the following procedures, you must be a member of the local Administrators group on each clustered server, and the account you use must be a domain account, or you must have been delegated the equivalent authority.

Opening Event Viewer and viewing events related to failover clustering

To open Event Viewer and view events related to failover clustering:

  1. If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the console tree, expand Diagnostics, expand Event Viewer, expand Windows Logs, and then click System.
  3. To filter the events so that only events with a Source of FailoverClustering are shown, in the Actions pane, click Filter Current Log. On the Filter tab, in the Event sources box, select FailoverClustering. Select other options as appropriate, and then click OK.
  4. To sort the displayed events by date and time, in the center pane, click the Date and Time column heading.

Finding more information about the error codes that some event messages contain

To find more information about the error codes that some event messages contain:

  1. View the event, and note the error code.
  2. Look up more information about the error code in one of two ways:

Verify

To perform the following procedures, you must be a member of the local Administrators group on each clustered server, and the account you use must be a domain account, or you must have been delegated the equivalent authority.

Verifying that a Network Name resource can come online

To verify that a Network Name resource can come online:

  1. To open the failover cluster snap-in, click Start, click Administrative Tools, and then click Failover Cluster Management. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. In the Failover Cluster Management snap-in, if the cluster you want to manage is not displayed, in the console tree, right-click Failover Cluster Management, click Manage a Cluster, and then select or specify the cluster that you want.
  3. If the console tree is collapsed, expand the tree under the cluster you want to manage, and then expand Services and Applications.
  4. In the console tree, click a clustered service or application.
  5. In the center pane, view the status of the Network Name resource you want to verify.
  6. If a Network Name resource is offline, to bring it online, in the center pane, right-click the resource and then click Bring this resource online.

To perform a quick check on the status of a resource, you can run the following command.

Using a command to check the status of a resource in a failover cluster

To use a command to check the status of a resource in a failover cluster:

  1. On a node in the cluster, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. Type:

    CLUSTER RESOURCE ResourceName /STATUS

    If you run the preceding command without specifying a resource name, status is displayed for all resources in the cluster.

Related Management Information

Network Name Resource Availability

Failover Clustering

Related: