Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1708
Views
0
Helpful
1
Replies

Event 331001 - dynamic DNS update failed - CISCO ASA 5506X

hm_alexander1
Level 1
Level 1

‎01-10-2018 09:17 AM - edited ‎02-21-2020 07:06 AM

I thought I configured dynamic DNS update correctly but it still not working.

 

My DNS server is an internal bind server and I configured the zones in question with allowed-update any.

 

 

zone "5.50.10.in-addr.arpa" IN {
type master;
file "db.5.50.10.in-addr.arpa";
allow-transfer {
none;
};
allow-update {
"any";
};
};
zone "5.10.10.in-addr.arpa" IN {
type master;
file "db.5.10.10.in-addr.arpa";
allow-transfer {
none;
};
allow-update {
"any";
};
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update {
none;
};
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update {
none;
};
};
zone "5.20.10.in-addr.arpa" IN {
type master;
file "db.5.20.10.in-addr.arpa";
allow-transfer {
none;
};
allow-update {
"any";
};
};
zone "5.40.10.in-addr.arpa" IN {
type master;
file "db.5.40.10.in-addr.arpa";
allow-transfer {
none;
};
allow-update {
"any";
};
};
zone "ss-sergius-herman-valaam.org" IN {
type master;
file "db.ss-sergius-herman-valaam.org";
allow-transfer {
none;
};
allow-update {
"any";
};
};

 

On the ASA the DHCP entries have DDNS enabled

 

dhcpd address 10.10.5.10-10.10.5.150 inside10
dhcpd dns 10.20.5.3 interface inside10
dhcpd domain ss-sergius-herman-valaam.org interface inside10
dhcpd update dns both interface inside10
dhcpd enable inside10
!
dhcpd address 10.40.5.10-10.40.5.150 inside40
dhcpd dns 10.20.5.3 interface inside40
dhcpd domain ss-sergius-herman-valaam.org interface inside40
dhcpd update dns both interface inside40
dhcpd enable inside40

 

But the ASA still throws an error every time . I enabled debug mode to see if there any more relevant messages around this error but so far nothing.

 

The log of the bind server has absolutely no message relevant to DDNS in it - neither success nor deny. so I am tempted to say the ASA is not even getting to the bind server for DDNS but I am not sure.

 

I should also mention that DNS queries to this DNS server work just fine.

 

3 Jan 10 2018 10:57:34 331001         Dynamic DNS Update for 'MacBook-Pro-5.ss-sergius-herman-valaam.org' <=> 10.40.5.20 failed

 

ACL in question for access to the server:

object network inside40-network
subnet 10.40.5.0 255.255.255.0

 

access-list inside40_access_in extended permit object-group TCPUDP 10.40.5.0 255.255.255.0 any eq domain

 

 

5 people had this problem
Labels:
0 Helpful
1 Reply 1

matt.leo.SGS
Level 1
Level 1

‎10-12-2021 06:42 AM

Did you ever get this resolved?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card