[Configure a router to always query DNS]

Unanswered Question
Jun 9th, 2009
User Badges:


For an IPSEC application I require a router to ALWAYS query DNS to solve a host name. From what I've seen once it queries DNS, the router stores the response in memory and as long a you don't clear the host list (clear host *), it'll never ask DNS again.

Is there a command to change this behavior?

Thanks in advance!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Carlos A. Silva Tue, 06/09/2009 - 12:24
User Badges:


That's exactly what I'm doing, BUT...the problem is that the initiating router caches the DNS resolution for the terminating router. If the IP on the terminating router changes (say a DSL connection), the initiating router still tries the previous IP address.

My configuration is exactly that. Tunnels work the first time around. The problem is that the IKE engine NEVER queries DNS again.

Any ideas?


paolo bevilacqua Tue, 06/09/2009 - 12:40
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

My understanding is that the feature above mentioned addresses your issue.

You should verify your configuration (set peer xxx.xxx dynamic) and if the router doesn't behave as documented, contact the TAC.

Carlos A. Silva Wed, 06/10/2009 - 05:25
User Badges:

Yup. We agree 100% that's what that command and feature should be doing, but it's not. I've tried different IOS versions and platforms. Same result. Hopefully an SE will help me out.

Thanks a lot!


Carlos A. Silva Tue, 06/09/2009 - 13:07
User Badges:


At first the IP address for the tunnel termination was Then after a quick shut/noshut, the ip changed to


*Mar 1 00:33:39.055: %SYS-5-CONFIG_I: Configured from console by console

*Mar 1 00:33:39.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

*Mar 1 00:33:42.707: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address, mask, hostname vpnc.x.com.

But the tunnel initiator keeps trying the old IP address:

of2#ping source

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Packet sent with a source address of


*Mar 1 00:33:19.211: ISAKMP:(0): SA request profile is (NULL)

*Mar 1 00:33:19.211: ISAKMP: Created a peer struct for, peer port 500

*Mar 1 00:33:19.211: ISAKMP: New peer created peer = 0x850288A8 peer_handle = 0x80000003

*Mar 1 00:33:19.211: ISAKMP: Locking peer struct 0x850288A8, refcount 1 for isakmp_initiator

*Mar 1 00:33:19.211: ISAKMP: local port 500, remote port 500

*Mar 1 00:33:19.211: ISAKMP: set new node 0 to QM_IDLE

Any thoughts?


paolo bevilacqua Tue, 06/09/2009 - 13:15
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Do you have dynamic in set peer ?

If yes, and DDNS for the terminator is also correct, you have to complain to the TAC.

Carlos A. Silva Thu, 06/11/2009 - 09:18
User Badges:

Yes, I do have 'dynamic' in set peer.

And yes, DDNS is working perfectly. Sadly, I have no mechanism to open up a TAC case.

I work for a cisco partner and I'm building a demo environment for a customer.


As far as I know, the only channel for me is an SE.


This Discussion