ZPA is picking IP address instead of FQDN

Hey Guys…

we have seen this on MAC OS only, we know that application fqdn is resolving in our Internal DNS server but somehow in our ZPA logs, we are seeing connection is picking IP address even though we try FWDN on user machine.
if you separately add FQDN and IP in app segment, it works fine by picking IP address
If you add only FQDN, then it is not working. Not sure why and how it is picking only IP address when DNS can resolve this.?

Any suggestions or solutions???


Hi Sumanth,

When you perform a ping or nslookup for the FQDN, does this return as carrier grade NAT IP?
I would suggest looking at the client connector ZSAtunnel logs, and a packet capture. Here are some example logs of the DNS, and request for tunnel.

DBG getTunnelRequestTypeJson: Request url: https://app.company.com host: app.company.com protocol: 6 port: 443
DBG getTunnelRequestTypeJson: System Proxy from pac is null!
DBG DNS: MSG=Request from= Family=IPv4 Size=39, Qcount=1
INF DNS: QRY=A(1), Name=app.company.com
INF DNS: Send local A response for ZPN domain: app.company.com →
DBG DNS: MSG=Request from= Family=IPv4 Size=39, Qcount=1
INF DNS: Domain: app.company.com is never bypass domain.
DBG DNS: ZPN Domain=app.company.com State=zpn valid (257) TTL: 180
INF DNS: Send local empty AAAA/HTTPS response for ZPN domain: app.company.com
INF getTunnelRequestTypeJson: Sending ZPA response for tcp host: app.company.com ip:

Additionally, the depending on the application, occasionally the initial communication to the application may occur using FQDN, and within the application the server instructs the client to connect to a server based upon IP address. An example of when this may happen might be with an ICA file, which is referencing an IP address rather than FQDN.

Hi Dan,

Yes, it is resolving to carrier grade NAT IP. But same FQDN works from windows machine( I will double confirm one more time). Is there any solution for this? did anyone faced this issue ?

Hi Sumanth,

I would review with what I have stated above, but I would also run this past support, as they will be able to assist you. I have PM’d you.


Or maybe the Mac users have some other agent running that interferes w/ DNS (Cisco Umbrella, …)?

no … @jhage … verified. there is no other agent inside it.

Sumanth D