d.nebula.zyxel.com DNS resolve shows different results then it tries to connect

Hello Community,
My AP tries every minute to reach one of the two AWS Servers that are not listed in d.nebula.zyxel.com and is blocked.

i followed the connectivity settings on your KB: Knowledge Base | Zyxel.
TCP Port 6667 and 4335 fpr d.nebula.zyxel.com are allowed on the Firewall. 

Do i need to allow 443? Its noted that KB, that this port is used by users not by the AP himself to connect to the NCC.

Now i have the following problem:
For the name d.nebula.zyxel.com i get the Resolve:
52.16.90.243
52.210.229.217
52.48.115.44
54.76.217.223
54.73.103.137
34.243.116.158
52.210.12.1
34.246.20.161

But if i check the firewall it says it tries to connect to:
54.174.230.238 
52.207.42.20
(with 443 SSL) and denys it. 

Im from Europe/Austria, is it possible that something is wrong here with the AWS DNS entrys?

Did i miss something on my side? Can you please help me?

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 903  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi there,

     

    Except d.nebula.zyxel.com, there are other service such as s.nebula.zyxel.com or firmware.nebula.zyxel.com, etc. You can try to resolve these domains to check whether they are the two AWS Servers that are not listed in.



    Besides, some service uses dynamic IP addresses, so the resolve you get might be not the same at every time.

    We recommend you do the security policy based on the domains not the IP address to avoid some service will be blocked/ denied.

    Judy

  • Hello thank you for your reply,
    i changed the rules on the Firewall like you suggested but the Problem is still the same.

    on the firewall these are now allowed:
    d.nebula.zyxel.com
    s.nebula.zyxel.com
    d-a.nebula.zyxel.com
    d-cp.nebula.zyxel.com
    d-mp.nebula.zyxel.com

    the Problem is still the same: the Access Points try to connect with Port 443 to the IPs

    54.174.230.238 
    52.207.42.20
    and are denied because these two IPs are not resolved in these Names.

    Should i add these two IP-Adresses to the rule or is there a problems with the DNS resolve?

Nebula Tips & Tricks