Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3840
Views
0
Helpful
4
Replies

asa dns lookup fails using bvi interface

Go to solution
webastien
Level 1
Level 1

‎03-24-2018 02:03 PM - edited ‎02-21-2020 07:33 AM

Hello all,

To precise title, quite clear itself i hope, here are some informations.
[asa5506x box][version 9.8.2.24]
In order, all went fine using a 'classical' interface configuration and DefaultDNS server-group. I changed the physical inside interface to a bvi interface, pushed some bridge-group commands etc. All worked (nat, accesses, etc (vpn not tested)) except fqdn objects as logs are showing :

3    Mar 24 2018    21:06:20    746016                    user-identity: DNS lookup for fr.pool.ntp.org failed, reason:Timeout or unresolvable
3    Mar 24 2018    21:06:20    746016                    user-identity: DNS lookup for fr.pool.ntp.org failed, reason:UNKNOWN

And ping www.cisco.com fails too.

No firepower service-policy,
No inspect dns; tested,
dns domain-lookup inside_1 added (dns server is inside, behind this interface)
dns domain-lookup inside (bvi)

A capture shows dns requests are leaving firewall correctly ; a tcpdump on dns server confirms. Dns answers are arriving on inside too (capture).

So, if someone gets an idea or information to fix that point, it will be appreciate.

/seb
ps: Sorry for my bad english.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
webastien
Level 1
Level 1
In response to Mohammed al Baqari

‎03-26-2018 11:09 AM

Yep.


I found how to fix this problem :
DNS server-group DefaultDNS
!adding inside_1 at the end of ...
    name-server 192.168.1.112 inside_1
    domain-name dune

(inside_1 does not match my bvi.)
Bad point is playing with the configuration, capture always gave requests and answers ! (cli in attached file)

 

Thank you mohammed, I did not understand why to ping but it forced me to insist  ;)


/seb

View solution in original post

Preview file
5 KB
0 Helpful
4 Replies 4

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎03-24-2018 09:26 PM

Share your config? Usually BVI is used to bridge two VLANs in transparent mode but lets see your config 

0 Helpful

Go to solution
webastien
Level 1
Level 1
In response to Mohammed al Baqari

‎03-25-2018 11:06 AM

Thanks for your help Mohammed.

 

/seb

Preview file
8 KB
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to webastien

‎03-26-2018 02:36 AM

 

Are you able to ping your DNS server

 

0 Helpful

Go to solution
webastien
Level 1
Level 1
In response to Mohammed al Baqari

‎03-26-2018 11:09 AM

Yep.


I found how to fix this problem :
DNS server-group DefaultDNS
!adding inside_1 at the end of ...
    name-server 192.168.1.112 inside_1
    domain-name dune

(inside_1 does not match my bvi.)
Bad point is playing with the configuration, capture always gave requests and answers ! (cli in attached file)

 

Thank you mohammed, I did not understand why to ping but it forced me to insist  ;)


/seb

Preview file
5 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card