Cannot access any ZTNA (SAC) segment Application with Safari after WSS Agent tunnel is up
search cancel

Cannot access any ZTNA (SAC) segment Application with Safari after WSS Agent tunnel is up

book

Article ID: 254117

calendar_today

Updated On:

Products

Symantec ZTNA Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSS Agent enabled on MacOS and used to access ZTNA segment Applications.

WSS Agent tunnel up successfully after authenticating with SAML.

Using Safari to access the segment Application (points to an internal Web server) via DNS fails.

Using Chrome after that to access the same Application worked. Once done, the Safari access worked too until removed from the MacOS DNS cache.

Can always access the segment App via IP address.

Environment

Cloud SWG integration with ZTNA (SAC - Secure Access Cloud).

Using WSS Agent with Split DNS to send DNS requests for ZTNA segment Application into corporate RFC 1918 DNS server IP address.

WSS Agent 8.2.1 running on MacOS.

Cause

DNS handling when source port defined as a 0.

DNS handling when DNS AAAA response returned before A response.

Resolution

Upgrade to WSS Agent 8.2.3 or greater.

Additional Information

PCAPs from Symdiag confirm DNS requests sent into ZTNA configured DNS server correctly.

When the DNS server is configured to send IPv6 and IPv4 responses, and the IPv6 response comes in before the IPv4 response, the agent does not snoop it correctly. The end result is that the WSS Agent do not send the connection request into WSS.