Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
5
Replies

DNS server lookups and sh conn in ASA

Go to solution
mahesh18
Level 6
Level 6

‎04-05-2014 08:19 AM - edited ‎03-11-2019 09:02 PM

 

 Hi Everyone,

We have Internal DNS server that goes to ISP via our Internet  ASA for DNS lookups.

Recently physical connection between our Internal DNS server and Internet ASA broke due to bad cabling.

When users try to open website they get message page can not be displayed.

When I did sh conn on internet ASA it was showing number of connections that were established earlier.

I need to know if this happens again what troubleshooting command I should run in ASA to figure out DNS lookup is not working?

 

If I run sh conn should I  look for some flag that tells me issue is with DNS?

 

Regards

 

MAhesh

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎04-05-2014 09:05 AM

There really aren't many commands on the ASA to 100% confirm it is a DNS problem.  However there are a few things you can check...among them the show conn protocol udp port 53 command. A quick way to define if it is DNS or not is to ping the DNS server private IP from the ASA.

You can also from a host machine ping an global DNS server on the internet such as 4.2.2.2 or 8.8.8.8.  If you are able to ping that but are unable to browse to the internet using a URL then it is most likely a DNS resolution issue.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎04-05-2014 10:13 AM

There is an issue with using the show conn for troubleshooting DNS issues which i forgot to mention, and that is its default timeout of 1 hour. So eventually the connections will timeout and the output of the show conn protocol udp port 53 will be 0.  You can also check to see if the number is gradually decreasing and not increasing.  But this way can take a bit of time.

So if ping to the internet works but URLs are not accessible that is a clear indication that there is some kind of issue with DNS.  Especially if you statically set the DNS on the client and are then able to reach the URL you try to browse to then you know 100% it is your DNS server.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎04-05-2014 09:05 AM

There really aren't many commands on the ASA to 100% confirm it is a DNS problem.  However there are a few things you can check...among them the show conn protocol udp port 53 command. A quick way to define if it is DNS or not is to ping the DNS server private IP from the ASA.

You can also from a host machine ping an global DNS server on the internet such as 4.2.2.2 or 8.8.8.8.  If you are able to ping that but are unable to browse to the internet using a URL then it is most likely a DNS resolution issue.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Marius Gunnerud

‎04-05-2014 09:09 AM

Also, if you manually set a DNS server on the host machine to a public DNS and are able to browse to the internet then...but you are unable to do so using your local DNS server, then you have also identified it as a local DNS problem.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎04-05-2014 09:27 AM

 

During outage when i did nslookup to google.com

it was showing as request time out.

Also when now all is working fine i ran the command
show conn protocol udp port 53

it shows 152 in use.

 

So when DNS is not working what should above command show  0 in use?

Also traffic flow for DNS server is

Server ----Sw1---------sw2(server default gateway)--------------Sw1--------ASA.

Sp ping to server should be ok during the outage.

 

As ping is not allowed from the internal Network.

What i did during outage was to ping 4.2.2.2 from edge router and that ping worked fine.

 

Regards

MAhesh

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎04-05-2014 10:13 AM

There is an issue with using the show conn for troubleshooting DNS issues which i forgot to mention, and that is its default timeout of 1 hour. So eventually the connections will timeout and the output of the show conn protocol udp port 53 will be 0.  You can also check to see if the number is gradually decreasing and not increasing.  But this way can take a bit of time.

So if ping to the internet works but URLs are not accessible that is a clear indication that there is some kind of issue with DNS.  Especially if you statically set the DNS on the client and are then able to reach the URL you try to browse to then you know 100% it is your DNS server.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎04-05-2014 01:16 PM

 

Many thanks for explaining  it in so detail.

Best reagrds

 

MAhesh

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card