HELP: GlobalProtect version 6.1.2-82 breaks DNS for snap apps on Ubuntu 23.04

zzzzYUPYUPphlumph · March 13, 2025, 2:24pm

Hello,

Today Ubuntu 23.04 offered to automatically upgrade by GlobalProtect VPN from 5.xx.xx to 6.1.2-82. When I accepted the upgrade, after it was installed, when the VPN is running DNS is broken for ALL SNAP applications. When the VPN is not running, all applications, including SNAP apps, function normally.

With the VPN running, SNAP apps are unable to perform ANY DNS look-ups.

Is there a way to downgrade back to the a 5.xx.xx version so it will continue to work. Alternatively, is there a way to make the 6.1.2-82 version work correctly for SNAP applications?

SoldAmerican · March 13, 2025, 2:24pm

I had some Linux users running 22.10 who ran into a similar issue after upgrading to GlobalProtect 6.0.7.

I know both those versions are different from yours however what worked for them was to install resolvconf, reconfigure resolvconf, reboot, and then reinstall GlobalProtect.

sudo apt install resolvconf
sudo dpkg-reconfigure resolvconf
sudo reboot

Euphoric-Flamingo811 · March 13, 2025, 2:24pm

I’ve just had the same issue when testing a deployment for our Ubuntu fleet.

I managed to find a workaround by modifying the /etc/systemd/resolved.conf file and adding the following line under the [Resolve] section:

DNSStubListenerExtra = 127.0.0.1:53

This fixes the problem for me. If I understand correctly, this keeps systemd-resolved listening on an additional address/port rather than stopping completely when the /etc/resolv.conf file is changed.

I’ve never tested older versions of GlobalProtect, but I think this issue is caused by the way it replaces the /etc/resolv.conf.

Usually this file is a symlink to /run/systemd/resolve/stub-resolv.conf.

When globalprotect takes over, it changes the symlink to something like /opt/paloaltonetworks/globalprotect/resolv.conf

I’m not sure if this is a valid or expected way to change the DNS configuration

EDIT:
For anyone coming back to this now, it looks like GP version 6.2.1-276 now natively works with systemd-resolved, and you don’t need the workaround.

zzzzYUPYUPphlumph · March 13, 2025, 2:24pm

Unfortunately, that doesn’t appear to help on 23.04. Thank you though.

kvernNC · March 13, 2025, 2:24pm

Is this workaround still working for your fleet ?

I encounter a similar issue: Globalprotect add DNS but the resolver deamon seems to crash, NetworkManager Restart, Wireless restart, Globalprotect reconnect, and it loop infinitely.

I tested it on a fresh and updated linux mint, which is based on ubuntu 22.04, but it didn’t avoid wireless to disconnect.

It seems to be fine on wired client though.

R_mano · March 13, 2025, 2:25pm

I can confirm this works for Ubuntu 24.04 and GlobalProtect 6.1.2-82. Thanks!

coruja182 · March 13, 2025, 2:25pm

This worked for me on `Ubuntu 24.04` and `GlobalProtect 6.2.0-265`

ic_1916 · March 13, 2025, 2:25pm

Worked on Ubuntu 24.03 and GP 6.1.5.

Euphoric-Flamingo811 · March 13, 2025, 2:25pm

Which version of globalprotect are you using?

We had to downgrade to 6.1.3-703 on Ubuntu because 6.2+ was flapping our Wifi connections on laptops

EDIT: For context, we’re still evaluating globalprotect right now. Not currently in production. But should be rolling out soon.

kvernNC · March 13, 2025, 2:25pm

Thanks, I didn’t test 6.1.3 before your advice and I confirm it works.