cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
783
Views
0
Helpful
0
Replies

ASA 550x-X DNS resolving of FQDN-objects stopped working after ASA upgrade from 9.6(1)

Thomas Winther
Level 1
Level 1

Hi

I have a group of dynamic objects defined by FQDN in mulitple ASA 5506/8-X.

Somehow after ugrading ASA software from version 9.6(1) to anything later, the DNS resolver fails.

Same config, nothing changed.

My remote sites are doing IKEv2 site-to-site to HQ, with all RFC1918 addresses in crypto map acl.

Current ASA version, where this is failing: 9.8(1)

DNS config/status:

FW# sh run dns

dns domain-lookup inside
DNS server-group DefaultDNS
    name-server x.y.z.w inside
    name-server x.y.z.q inside
    domain-name dom.local

FW# sh dns
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)

DNS servers are pingable sourcing the inside interface OK.

Anyone seeing the same issue?

Do you have a solution or workaround?

If I downgrade to ASA 9.6(1) DNS resolve start working immidiately.

Kind regards

Thomas Winther 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: