cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1162
Views
5
Helpful
4
Replies

login information is removed by IP SLA

mario.jost
Level 3
Level 3

As the

ip ddns

command is not vrf aware, i want to use IP SLA to update my Dynamic DNS IP address. I use following configuration:

 

ip sla 99
http get http://username:password@dynupdate.no-ip.com/nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.56 name-server 8.8.8.8
vrf DSL
ip sla schedule 99 life forever start-time now

When i check the IP sla output, i get HTTP error:

 

router#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 99
        Latest RTT: 408 milliseconds
Latest operation start time: 08:59:10 CEST Fri May 13 2022
Latest operation return code: Http Error
Latest DNS RTT: 23 ms
Latest TCP Connection RTT: 185 ms
Latest HTTP Transaction RTT: 200 ms
Number of successes: 0
Number of failures: 1
Operation time to live: Forever

If i do a wireshark capture, it shows that the username and password have been striped from the request:

Unbenannt.png

 

I even get an unauthorized HTTP message back by no-ip. If i setup the same as a raw request, like this: 

 

ip sla 99
 http raw http://username:password@dynupdate.no-ip.com name-server 8.8.8.8
  vrf DSL
  http-raw-request
   GET /nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.57 HTTP/1.0\r\n
   exit
ip sla schedule 99 life forever start-time now

 

Then the IP sla status is timeout and i never see a HTTP request going out on wireshark:

router#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 99
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 10:19:17 CEST Fri May 13 2022
Latest operation return code: Timeout
Latest DNS RTT: 33 ms
Latest TCP Connection RTT: 170 ms
Latest HTTP Transaction RTT: 0 ms
Number of successes: 0
Number of failures: 9
Operation time to live: Forever

Is there a trick to keep the username and password in the request?

 

 

Before people suggest i should use the ddns feature with the 

ip http client source-interface

command, but we have alot of http copy operations in place that need to use another VRF.

 

1 Accepted Solution

Accepted Solutions

Just managed to get it to work. The trick is, to use the raw http transmission method and give the authentication along with the GET post. This is the configuration:

ip sla 99
 http raw http://dynupdate.no-ip.com name-server 8.8.8.8
  vrf DSL
  http-raw-request
   GET /nic/update?hostname=mydomain.gotdns.ch HTTP/1.0\r\nAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=\r\n\r\n
   exit
ip sla schedule 99 life forever start-time now

So you need to provide Basic as authentication method. You take following string username:password and convert it to base64 on a site like https://www.base64encoder.io/

This gives you a string that combines both username and password that you have to send after the keyword Basic. The IP SLA works as expected now:

router#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 99
        Latest RTT: 434 milliseconds
Latest operation start time: 16:25:59 CEST Fri May 13 2022
Latest operation return code: OK
Latest DNS RTT: 45 ms
Latest TCP Connection RTT: 189 ms
Latest HTTP Transaction RTT: 200 ms
Number of successes: 25
Number of failures: 0
Operation time to live: Forever

Hope this helps someone else in the future

View solution in original post

4 Replies 4

Hello,

 

to my best knowledge, the HTTP operation is used 'to monitor the response time between a Cisco device and an HTTP server to retrieve a web page'. I am not sure you can use an IP SLA directly to update DDNS. You could do it with an EEM script. What exactly are you trying to accomplish ?

mario.jost
Level 3
Level 3

I try to contact this URL via vrf called DSL to update my IP that is assigned to a cellular interface. I thought of a TCL script, but i did not  find any possibility to force TCL to send out the request from a certain interface or vrf. I tried to use the

copy

command, like:

copy http://username:password@dynupdate.no-ip.com/nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.57 flash:result.txt

This worked great, until i realized that the request is going thru another VRF, that in the end, has an internet connectivity of its own. But the problem is, if the WAN IP changes and there is a problem with the VPN, the IP cant be updated. The

copy 

command tries to reach the internet via the wrong VRF which does not have a connectivity to the internet because the VPN is down.

 

This whole DDNS configuration is a way to access the router via a WAN IP directly in emergencies, so i try not to make one dependent on the other.

If i change the

ip http client source-interface 

to the Cellular interface, I can update the record, but we are using multiple TCL scripts that are constantly being downloaded via HTTP from a different VRF. We use it to centrally collect data from the LTE connection (RSSI,SNR,and so on...)

I thought of making a script that temporarily changes the VRF with the command 

ip http client source-interface cellular 0/2/0, 

updates the noIP and then goes back to

ip http client source-interface loopback0 

using the correct VRF for our LTE script to work again. But my tests show, that there is a big delay (60-90s) between setting the command and the device really using the corresponding VRF. So this was not really a solution as we are collection LTE data every 60s.

 

Is there a way via EEM or TCL to source a HTTP connection from a specific interace or VRF? 

Just managed to get it to work. The trick is, to use the raw http transmission method and give the authentication along with the GET post. This is the configuration:

ip sla 99
 http raw http://dynupdate.no-ip.com name-server 8.8.8.8
  vrf DSL
  http-raw-request
   GET /nic/update?hostname=mydomain.gotdns.ch HTTP/1.0\r\nAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=\r\n\r\n
   exit
ip sla schedule 99 life forever start-time now

So you need to provide Basic as authentication method. You take following string username:password and convert it to base64 on a site like https://www.base64encoder.io/

This gives you a string that combines both username and password that you have to send after the keyword Basic. The IP SLA works as expected now:

router#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 99
        Latest RTT: 434 milliseconds
Latest operation start time: 16:25:59 CEST Fri May 13 2022
Latest operation return code: OK
Latest DNS RTT: 45 ms
Latest TCP Connection RTT: 189 ms
Latest HTTP Transaction RTT: 200 ms
Number of successes: 25
Number of failures: 0
Operation time to live: Forever

Hope this helps someone else in the future

Lubo1
Level 1
Level 1

Thanks for sharing working solution.

Even regular 

ip ddns 

update method (in newer routers and IOS versions) does not send username:password in HTTP GET message (regardless of vrf), I checked it in Wireshark. I have not found any bug on this. The IP in DDNS provider's portal is not updated (I am using dynu.com), but despite of that

debug ip ddns update

shows SUCCESS, which is confusing.

Your IP SLA method is working.

Review Cisco Networking for a $25 gift card