VMware Workspace ONE Community
JeoffreyBurri
Enthusiast
Enthusiast
‎10-09-2019 12:21 AM

Android Tunnel App uses Google public DNS Servers

This post is a little bit of a hail mary since I'm really running out of ideas.


I have a use-case where I configure Google Chrome to use per App VPN. Our installation is on prem. Linux Servers, not UAG yet.


Suddenly, a few weeks ago, Tunnel App began throwing ' DNS resolution failed'  errors. Looking at the Log we see that it tries to resolve our Tunnel Relay Server by using the public Google IPv6 DNS Servers (2001:4860:4860::8888 and 2001:4860:4860::8844). Eventually it tries our IPv4 DNS Servers and can then connect successfully. We don't use IPv6 in our Environment.


- Our configuration has only our IPv4 DNS Servers set to use. And it's set to use IPv4 only.
- It's not the app version. There are different versions on the devices and they all show the same error.
- There was no change in the configuration on the servers.
- There was no OS Update on the devices (Samsung S6 and S7)


vmWare Support is at it for several days now, but up until now nothing helped.


Any thoughts / ideas from the community?

Labels (1)
Labels
0 Kudos
6 Replies
Aginaco
Contributor
Contributor
‎11-14-2019 03:47 AM

Hi Jeoffrey


we have exactly the same problem. We have also an open ticket with VMware Support and they are recommending us thing like restaritng the affected devices (also Samsng Devices) deinstall and push VPN profile again or testing our FQDN with https://www.sslshopper.com/ssl-checker.html?.


We have already try to apply these solutions but they are not definitive ones. Maybe it works for some ours or days but the ' DNS resolution failed'  error appears again.


We are thinking of activating the ' Always On VPN'  check in the VPN Profile to chek if once the name is correctly resolved and the VPN established it remains up. We know this is battery consuming but we have no better ideas at the moment Have you already found a solution or a workarround for this?


thank you

0 Kudos
JeoffreyBurri
Enthusiast
Enthusiast
‎11-14-2019 04:39 AM

Hello Rafael,

we now know that using the Google public DNS Servers is a fallback behavior built into the Tunnel App. Meaning if the Tunnel App can't reach the server configured in the tunnel profile, it automatically tries to resolve the FQDN using the Google DNS Servers.
This lead us to investigate why the app apparently cannot reach our tunnel server. And indeed, one of our front end server seems to drop connections intermittently. We are investigating this now.

So the problem seems to be on our side.
0 Kudos
Aginaco
Contributor
Contributor
‎11-14-2019 04:55 AM

Hi Jeoffrey

we didn´t knew about this fallback behaviour but this make sense. May be there is something wrong in our front end. We will also check this.

Thanks for your comment 
0 Kudos
GestionMovilida
Contributor
Contributor
‎11-15-2019 04:06 AM

Hi Jeoffrey,

I am a colleague of Rafael.   In our connection issue we have two error messages.  Sometimes we get one error message and sometimes we get the other.  The error messages in tunnel application are :
a) ' DNS resolution failed' 
b) ' Gateway unreacheble'

I suspect they are related to each other .   

In diagnostics logs , in the scenario ' Gateway unreachable'  we can see messages like that:
  11-14 11:43:43 (I) : Test Connectivity: Gateway unreachable from 195.235.171.83
  11-14 11:43:43 (I) : AWVPC: checkConnectivity: Unable to connect to server tunel.ertzaintza.eus (272)

The tunnel IPv4 address of our tunnel machine is 195.235.171.83 (tunel.ertzaintza.eus) .  It takes my attention the word FROM .  The error registered in the app log seems to be the result of a connectivity test that runs in the server (From server to some google gateway).

In the server I can see connection errors (SYN_SENT state in some connections to port 443 of several ip addresses from Google):

  216.239.32.116                  Google https://ipinfo.io/216.239.32.116
  172.217.8.163                    Google https://ipinfo.io/172.217.8.163
  172.217.168.163                               Google https://ipinfo.io/172.217.168.163
  172.217.168.170                               Google  https://ipinfo.io/172.217.168.170

These destinations are not included in the VMWare tunnel connection requirements, as far as i know.

Please, Can you check if this situation occurs in your environment.

Thanks in advance
Regards
0 Kudos
JeoffreyBurri
Enthusiast
Enthusiast
‎11-15-2019 04:24 AM

Hi Gestion,

very interesting findings there! We assumed the word FROM is just an error and it's meant to say TO. We are investigating in that direction too now. Thanks for your contribution! I'll post as soon as I get new information.
0 Kudos
JeoffreyBurri
Enthusiast
Enthusiast
‎11-15-2019 05:32 AM

Unfortunately that does not seem to be the issue. Our server is able to access these IPs but we are seeing the ' Gateway unreachable from'  anyway...
0 Kudos