Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
5
Helpful
4
Replies

login information is removed by IP SLA

Go to solution
mario.jost
Level 3
Level 3

‎05-13-2022 01:28 AM - last edited on ‎10-14-2022 10:11 AM by Community Manager

As the

ip ddns

command is not vrf aware, i want to use IP SLA to update my Dynamic DNS IP address. I use following configuration:

 

ip sla 99
http get http://username:password@dynupdate.no-ip.com/nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.56 name-server 8.8.8.8
vrf DSL
ip sla schedule 99 life forever start-time now

When i check the IP sla output, i get HTTP error:

 

router#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 99
        Latest RTT: 408 milliseconds
Latest operation start time: 08:59:10 CEST Fri May 13 2022
Latest operation return code: Http Error
Latest DNS RTT: 23 ms
Latest TCP Connection RTT: 185 ms
Latest HTTP Transaction RTT: 200 ms
Number of successes: 0
Number of failures: 1
Operation time to live: Forever

If i do a wireshark capture, it shows that the username and password have been striped from the request:

Unbenannt.png

 

I even get an unauthorized HTTP message back by no-ip. If i setup the same as a raw request, like this: 

 

ip sla 99
 http raw http://username:password@dynupdate.no-ip.com name-server 8.8.8.8
  vrf DSL
  http-raw-request
   GET /nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.57 HTTP/1.0\r\n
   exit
ip sla schedule 99 life forever start-time now

 

Then the IP sla status is timeout and i never see a HTTP request going out on wireshark:

router#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 99
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 10:19:17 CEST Fri May 13 2022
Latest operation return code: Timeout
Latest DNS RTT: 33 ms
Latest TCP Connection RTT: 170 ms
Latest HTTP Transaction RTT: 0 ms
Number of successes: 0
Number of failures: 9
Operation time to live: Forever

Is there a trick to keep the username and password in the request?

 

 

Before people suggest i should use the ddns feature with the 

ip http client source-interface

command, but we have alot of http copy operations in place that need to use another VRF.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mario.jost
Level 3
Level 3
In response to mario.jost

‎05-13-2022 07:28 AM - edited ‎05-13-2022 07:29 AM

Just managed to get it to work. The trick is, to use the raw http transmission method and give the authentication along with the GET post. This is the configuration:

ip sla 99
 http raw http://dynupdate.no-ip.com name-server 8.8.8.8
  vrf DSL
  http-raw-request
   GET /nic/update?hostname=mydomain.gotdns.ch HTTP/1.0\r\nAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=\r\n\r\n
   exit
ip sla schedule 99 life forever start-time now

So you need to provide Basic as authentication method. You take following string username:password and convert it to base64 on a site like https://www.base64encoder.io/

This gives you a string that combines both username and password that you have to send after the keyword Basic. The IP SLA works as expected now:

router#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 99
        Latest RTT: 434 milliseconds
Latest operation start time: 16:25:59 CEST Fri May 13 2022
Latest operation return code: OK
Latest DNS RTT: 45 ms
Latest TCP Connection RTT: 189 ms
Latest HTTP Transaction RTT: 200 ms
Number of successes: 25
Number of failures: 0
Operation time to live: Forever

Hope this helps someone else in the future

View solution in original post

4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎05-13-2022 03:14 AM

Hello,

 

to my best knowledge, the HTTP operation is used 'to monitor the response time between a Cisco device and an HTTP server to retrieve a web page'. I am not sure you can use an IP SLA directly to update DDNS. You could do it with an EEM script. What exactly are you trying to accomplish ?

0 Helpful

Go to solution
mario.jost
Level 3
Level 3

‎05-13-2022 04:25 AM - last edited on ‎10-14-2022 10:18 AM by Community Manager

I try to contact this URL via vrf called DSL to update my IP that is assigned to a cellular interface. I thought of a TCL script, but i did not  find any possibility to force TCL to send out the request from a certain interface or vrf. I tried to use the

copy

command, like:

copy http://username:password@dynupdate.no-ip.com/nic/update?hostname=mydomain.gotdns.ch&myip=138.188.55.57 flash:result.txt

This worked great, until i realized that the request is going thru another VRF, that in the end, has an internet connectivity of its own. But the problem is, if the WAN IP changes and there is a problem with the VPN, the IP cant be updated. The

copy

command tries to reach the internet via the wrong VRF which does not have a connectivity to the internet because the VPN is down.

 

This whole DDNS configuration is a way to access the router via a WAN IP directly in emergencies, so i try not to make one dependent on the other.

If i change the

ip http client source-interface

to the Cellular interface, I can update the record, but we are using multiple TCL scripts that are constantly being downloaded via HTTP from a different VRF. We use it to centrally collect data from the LTE connection (RSSI,SNR,and so on...)

I thought of making a script that temporarily changes the VRF with the command 

ip http client source-interface cellular 0/2/0, 

updates the noIP and then goes back to

ip http client source-interface loopback0

using the correct VRF for our LTE script to work again. But my tests show, that there is a big delay (60-90s) between setting the command and the device really using the corresponding VRF. So this was not really a solution as we are collection LTE data every 60s.

 

Is there a way via EEM or TCL to source a HTTP connection from a specific interace or VRF? 

0 Helpful

Go to solution
mario.jost
Level 3
Level 3
In response to mario.jost

‎05-13-2022 07:28 AM - edited ‎05-13-2022 07:29 AM

Just managed to get it to work. The trick is, to use the raw http transmission method and give the authentication along with the GET post. This is the configuration:

ip sla 99
 http raw http://dynupdate.no-ip.com name-server 8.8.8.8
  vrf DSL
  http-raw-request
   GET /nic/update?hostname=mydomain.gotdns.ch HTTP/1.0\r\nAuthorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=\r\n\r\n
   exit
ip sla schedule 99 life forever start-time now

So you need to provide Basic as authentication method. You take following string username:password and convert it to base64 on a site like https://www.base64encoder.io/

This gives you a string that combines both username and password that you have to send after the keyword Basic. The IP SLA works as expected now:

router#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 99
        Latest RTT: 434 milliseconds
Latest operation start time: 16:25:59 CEST Fri May 13 2022
Latest operation return code: OK
Latest DNS RTT: 45 ms
Latest TCP Connection RTT: 189 ms
Latest HTTP Transaction RTT: 200 ms
Number of successes: 25
Number of failures: 0
Operation time to live: Forever

Hope this helps someone else in the future

Go to solution
lliska
Level 1
Level 1

‎10-14-2022 06:47 AM - last edited on ‎10-14-2022 10:20 AM by Community Manager

Thanks for sharing working solution.

Even regular 

ip ddns

update method (in newer routers and IOS versions) does not send username:password in HTTP GET message (regardless of vrf), I checked it in Wireshark. I have not found any bug on this. The IP in DDNS provider's portal is not updated (I am using dynu.com), but despite of that

debug ip ddns update

shows SUCCESS, which is confusing.

Your IP SLA method is working.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card