05-13-2022 01:28 AM - last edited on 10-14-2022 10:11 AM by Translator
As the
ip ddns
command is not vrf aware, i want to use IP SLA to update my Dynamic DNS IP address. I use following configuration:
ip sla 99 http get http://username:password@dynupdate.no-ip.com/nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.56 name-server 8.8.8.8 vrf DSL ip sla schedule 99 life forever start-time now
When i check the IP sla output, i get HTTP error:
router#show ip sla statistics IPSLAs Latest Operation Statistics IPSLA operation id: 99 Latest RTT: 408 milliseconds Latest operation start time: 08:59:10 CEST Fri May 13 2022 Latest operation return code: Http Error Latest DNS RTT: 23 ms Latest TCP Connection RTT: 185 ms Latest HTTP Transaction RTT: 200 ms Number of successes: 0 Number of failures: 1 Operation time to live: Forever
If i do a wireshark capture, it shows that the username and password have been striped from the request:
I even get an unauthorized HTTP message back by no-ip. If i setup the same as a raw request, like this:
ip sla 99 http raw http://username:password@dynupdate.no-ip.com name-server 8.8.8.8 vrf DSL http-raw-request GET /nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.57 HTTP/1.0\r\n exit ip sla schedule 99 life forever start-time now
Then the IP sla status is timeout and i never see a HTTP request going out on wireshark:
router#show ip sla statistics IPSLAs Latest Operation Statistics IPSLA operation id: 99 Latest RTT: NoConnection/Busy/Timeout Latest operation start time: 10:19:17 CEST Fri May 13 2022 Latest operation return code: Timeout Latest DNS RTT: 33 ms Latest TCP Connection RTT: 170 ms Latest HTTP Transaction RTT: 0 ms Number of successes: 0 Number of failures: 9 Operation time to live: Forever
Is there a trick to keep the username and password in the request?
Before people suggest i should use the ddns feature with the
ip http client source-interface
command, but we have alot of http copy operations in place that need to use another VRF.
Solved! Go to Solution.
05-13-2022 07:28 AM - edited 05-13-2022 07:29 AM
Just managed to get it to work. The trick is, to use the raw http transmission method and give the authentication along with the GET post. This is the configuration:
ip sla 99 http raw http://dynupdate.no-ip.com name-server 8.8.8.8 vrf DSL http-raw-request GET /nic/update?hostname=mydomain.gotdns.ch HTTP/1.0\r\nAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=\r\n\r\n exit ip sla schedule 99 life forever start-time now
So you need to provide Basic as authentication method. You take following string username:password and convert it to base64 on a site like https://www.base64encoder.io/
This gives you a string that combines both username and password that you have to send after the keyword Basic. The IP SLA works as expected now:
router#show ip sla statistics IPSLAs Latest Operation Statistics IPSLA operation id: 99 Latest RTT: 434 milliseconds Latest operation start time: 16:25:59 CEST Fri May 13 2022 Latest operation return code: OK Latest DNS RTT: 45 ms Latest TCP Connection RTT: 189 ms Latest HTTP Transaction RTT: 200 ms Number of successes: 25 Number of failures: 0 Operation time to live: Forever
Hope this helps someone else in the future
05-13-2022 03:14 AM
Hello,
to my best knowledge, the HTTP operation is used 'to monitor the response time between a Cisco device and an HTTP server to retrieve a web page'. I am not sure you can use an IP SLA directly to update DDNS. You could do it with an EEM script. What exactly are you trying to accomplish ?
05-13-2022 04:25 AM - last edited on 10-14-2022 10:18 AM by Translator
I try to contact this URL via vrf called DSL to update my IP that is assigned to a cellular interface. I thought of a TCL script, but i did not find any possibility to force TCL to send out the request from a certain interface or vrf. I tried to use the
copy
command, like:
copy http://username:password@dynupdate.no-ip.com/nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.57 flash:result.txt
This worked great, until i realized that the request is going thru another VRF, that in the end, has an internet connectivity of its own. But the problem is, if the WAN IP changes and there is a problem with the VPN, the IP cant be updated. The
copy
command tries to reach the internet via the wrong VRF which does not have a connectivity to the internet because the VPN is down.
This whole DDNS configuration is a way to access the router via a WAN IP directly in emergencies, so i try not to make one dependent on the other.
If i change the
ip http client source-interface
to the Cellular interface, I can update the record, but we are using multiple TCL scripts that are constantly being downloaded via HTTP from a different VRF. We use it to centrally collect data from the LTE connection (RSSI,SNR,and so on...)
I thought of making a script that temporarily changes the VRF with the command
ip http client source-interface cellular 0/2/0,
updates the noIP and then goes back to
ip http client source-interface loopback0
using the correct VRF for our LTE script to work again. But my tests show, that there is a big delay (60-90s) between setting the command and the device really using the corresponding VRF. So this was not really a solution as we are collection LTE data every 60s.
Is there a way via EEM or TCL to source a HTTP connection from a specific interace or VRF?
05-13-2022 07:28 AM - edited 05-13-2022 07:29 AM
Just managed to get it to work. The trick is, to use the raw http transmission method and give the authentication along with the GET post. This is the configuration:
ip sla 99 http raw http://dynupdate.no-ip.com name-server 8.8.8.8 vrf DSL http-raw-request GET /nic/update?hostname=mydomain.gotdns.ch HTTP/1.0\r\nAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=\r\n\r\n exit ip sla schedule 99 life forever start-time now
So you need to provide Basic as authentication method. You take following string username:password and convert it to base64 on a site like https://www.base64encoder.io/
This gives you a string that combines both username and password that you have to send after the keyword Basic. The IP SLA works as expected now:
router#show ip sla statistics IPSLAs Latest Operation Statistics IPSLA operation id: 99 Latest RTT: 434 milliseconds Latest operation start time: 16:25:59 CEST Fri May 13 2022 Latest operation return code: OK Latest DNS RTT: 45 ms Latest TCP Connection RTT: 189 ms Latest HTTP Transaction RTT: 200 ms Number of successes: 25 Number of failures: 0 Operation time to live: Forever
Hope this helps someone else in the future
10-14-2022 06:47 AM - last edited on 10-14-2022 10:20 AM by Translator
Thanks for sharing working solution.
Even regular
ip ddns
update method (in newer routers and IOS versions) does not send username:password in HTTP GET message (regardless of vrf), I checked it in Wireshark. I have not found any bug on this. The IP in DDNS provider's portal is not updated (I am using dynu.com), but despite of that
debug ip ddns update
shows SUCCESS, which is confusing.
Your IP SLA method is working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide