Solved: How to postpone DNS lookup until after ISP DHCP lease

bcerny · ‎05-03-2024

A branch office router is configured to connect to the HQ VPN hub router. The tunnel destination is 'dynamic' and there is an IKEv2 client configuration stanza to help with this. Here's a chunk of the startup config:

ip domain lookup
ip name-server 2001:4860:4860::8888
!
crypto ikev2 client flexvpn default
  client connect Tunnel1
  peer 1 fqdn hub1.example.com ipv6
  peer 2 fqdn hub2.example.com ipv6
  peer reactivate
!
interface Tunnel1
  description --> HQ VPN Hub 
  no ip address
  ipv6 unnumbered Loopback6
  ipv6 enable
 --- lines omitted ---
  tunnel source GigabitEthernet1
  --- lines omitted ---
  tunnel destination dynamic 
  tunnel protection ipsec profile FLEX
!
interface GigabitEthernet1
 description --> ISP
 no ip address 
  --- lines omitted ---
 ipv6 address autoconfig default
 ipv6 enable

However, the DNS server is not reachable during boot -- the WAN interface (Gig1) grabs an ISP DHCP lease. As a result, the router cannot resolve the host names and I end up with this:

crypto ikev2 client flexvpn default
  peer reactivate
  client connect Tunnel1

Is there a way to postpone DNS lookups until after getting a DHCP lease?

Or do I need to craft an EEM script to configure the "crypto ikev2 client" stanza after the WAN interface comes up and the DNS server is reachable?

bcerny · ‎05-07-2024

From hack to utter kludge: had to work-around IOS-XE bug by changing the IP SLA ping target from an IPv6 address to an IPv4 address:

ip sla 6
 icmp-echo 9.9.9.9
 frequency 15
ip sla schedule 6 life 600 start-time now
track 6 ip sla 6 reachability

EEM script triggered by tracking object 6:

event manager applet IKEv2_CLIENT_CONFIG authorization bypass
  event track 6 state up
action 110 cli command enable
action 120 cli command "conf term"
action 130 cli command "crypto ikev2 client flexvpn default"
action 140 cli command "peer 1 fqdn hub1.example.com ipv6"
action 150 cli command "peer 2 fqdn hub2.example.com ipv6"
action 160 cli command "end"

Et voilà - as soon as DNS is reachable...

%TRACK-6-STATE: 6 ip sla 6 reachability Down -> Up
%SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:IKEv2_CLIENT_CONFIG)
%CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP.

...the IKEv2 client configuration falls into place, and the IPv6 tunnel connects right away.

View solution in original post

balaji.bandi · ‎05-04-2024

for this i suggest using EEM is best option here to delay the process - until properly got DNS resolution and the re-initiate the connection.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bcerny · ‎05-06-2024

Hello Balaji,

Yes, I thought an EEM would do the trick. Doesn't IP SLA support IPv6? I tried:

ip sla 6
 icmp-echo 2001:4860:4860::8888
 frequency 15
ip sla schedule 6 life 600 start-time now
track 6 ip sla 6 reachability

But then at boot time I see this on the console:

 icmp-echo 2001:4860:4860::8888
           ^
% Invalid input detected at '^' marker.

Note: If I paste the SLA configuration into config mode after the router has booted, then IOS-XE accepts the "icmp-echo 2001:4860:4860::8888" without complaint (!?!) I'm running this:

Cisco Catalyst 8000V Edge (virtual router)
Cisco IOS Software [Bengaluru], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.3a

bcerny · ‎05-07-2024

From hack to utter kludge: had to work-around IOS-XE bug by changing the IP SLA ping target from an IPv6 address to an IPv4 address:

ip sla 6
 icmp-echo 9.9.9.9
 frequency 15
ip sla schedule 6 life 600 start-time now
track 6 ip sla 6 reachability

EEM script triggered by tracking object 6:

event manager applet IKEv2_CLIENT_CONFIG authorization bypass
  event track 6 state up
action 110 cli command enable
action 120 cli command "conf term"
action 130 cli command "crypto ikev2 client flexvpn default"
action 140 cli command "peer 1 fqdn hub1.example.com ipv6"
action 150 cli command "peer 2 fqdn hub2.example.com ipv6"
action 160 cli command "end"

Et voilà - as soon as DNS is reachable...

%TRACK-6-STATE: 6 ip sla 6 reachability Down -> Up
%SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:IKEv2_CLIENT_CONFIG)
%CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP.

...the IKEv2 client configuration falls into place, and the IPv6 tunnel connects right away.

balaji.bandi · ‎05-07-2024

Glad all good now, thank you sharing the solution to community appriciated.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎05-04-2024

You have dual Hubs and use client profile to force spoke to use one of hub'

Until now it OK'

The Fqdn of hub is resovle by DNS reach via tunnel?

The fqdn of hub need to resolve by ISP DNS not by Hub internal DNS.

I think you need to use domain-list in such that the spoke use ISP dns to resolve hub IP and use internal DNS for other requests.

MHM