[Configure a router to always query DNS]

Carlos A. Silva · ‎06-09-2009

Hello:

For an IPSEC application I require a router to ALWAYS query DNS to solve a host name. From what I've seen once it queries DNS, the router stores the response in memory and as long a you don't clear the host list (clear host *), it'll never ask DNS again.

Is there a command to change this behavior?

Thanks in advance!

c.

paolo bevilacqua · ‎06-09-2009

Yes. See:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_realtime_ipsec_external_docbase_0900e4b1805b063e_4container_external_docbase_0900e4b1807b3707.html

Carlos A. Silva · ‎06-09-2009

Hi,p:

That's exactly what I'm doing, BUT...the problem is that the initiating router caches the DNS resolution for the terminating router. If the IP on the terminating router changes (say a DSL connection), the initiating router still tries the previous IP address.

My configuration is exactly that. Tunnels work the first time around. The problem is that the IKE engine NEVER queries DNS again.

Any ideas?

c.

paolo bevilacqua · ‎06-09-2009

My understanding is that the feature above mentioned addresses your issue.

You should verify your configuration (set peer xxx.xxx dynamic) and if the router doesn't behave as documented, contact the TAC.

Carlos A. Silva · ‎06-10-2009

Yup. We agree 100% that's what that command and feature should be doing, but it's not. I've tried different IOS versions and platforms. Same result. Hopefully an SE will help me out.

Thanks a lot!

c.

Carlos A. Silva · ‎06-09-2009

See:

At first the IP address for the tunnel termination was 172.16.14.2. Then after a quick shut/noshut, the ip changed to 172.16.14.3.

vpnc#

*Mar 1 00:33:39.055: %SYS-5-CONFIG_I: Configured from console by console

*Mar 1 00:33:39.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

*Mar 1 00:33:42.707: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 172.16.14.3, mask 255.255.255.0, hostname vpnc.x.com.

But the tunnel initiator keeps trying the old IP address:

of2#ping 172.16.44.44 source 172.16.33.33

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.44.44, timeout is 2 seconds:

Packet sent with a source address of 172.16.33.33

.

*Mar 1 00:33:19.211: ISAKMP:(0): SA request profile is (NULL)

*Mar 1 00:33:19.211: ISAKMP: Created a peer struct for 172.16.14.2, peer port 500

*Mar 1 00:33:19.211: ISAKMP: New peer created peer = 0x850288A8 peer_handle = 0x80000003

*Mar 1 00:33:19.211: ISAKMP: Locking peer struct 0x850288A8, refcount 1 for isakmp_initiator

*Mar 1 00:33:19.211: ISAKMP: local port 500, remote port 500

*Mar 1 00:33:19.211: ISAKMP: set new node 0 to QM_IDLE

Any thoughts?

c.

paolo bevilacqua · ‎06-09-2009

Do you have dynamic in set peer ?

If yes, and DDNS for the terminator is also correct, you have to complain to the TAC.

Carlos A. Silva · ‎06-11-2009

Yes, I do have 'dynamic' in set peer.

And yes, DDNS is working perfectly. Sadly, I have no mechanism to open up a TAC case.

I work for a cisco partner and I'm building a demo environment for a customer.

:(

As far as I know, the only channel for me is an SE.