Configuration
https://community.cisco.com/t5/security-documents/isr-4k-1k-umbrella-integration-opendns-step-by-step/ta-p/3399077
Troubleshooting
%OPENDNS-3-DNSCRYPT_OPENDNS_OUT_FAILURE
*Feb 19 11:29:04.858: %OPENDNS-3-NO_OPENDNS_OUT_FAILURE: opendns out is not configured on wan interface
Make sure "opendns out" is configured on the WAN interface.
interface GigabitEthernet0/0/3
ip vrf forwarding INET
ip flow monitor LIVEACTION-FLOWMONITOR input
ip flow monitor LIVEACTION-FLOWMONITOR output
ip address X.X.X.X 255.255.255.128
ip nat outside
ip nbar protocol-discovery
zone-member security INTERNET
opendns out
end
%OPENDNS-3-DNS_RES_FAILURE
*Feb 19 11:30:08.284: %OPENDNS-3-DNS_RES_FAILURE: Failed to resolve name api.opendns.com Retry attempts:0
Make sure the router is able to get name resolution.
ip domain lookup source-interface GigabitEthernet0/3
ip name-server 4.2.2.2
%OPENDNS-3-SSL_HANDSHAKE_FAILURE
*Feb 19 11:37:56.809: %OPENDNS-3-SSL_HANDSHAKE_FAILURE: SSL handshake failed
Make sure the root certificate is added to the trust pool
ISR-4321-OpenDNS(config)#crypto pki trustpool import terminal
% Enter PEM-formatted CA certificate.
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
% End with a blank line or "quit" on a line by itself.
quit
% PEM files import succeeded.
Make sure to verify that the correct digi cert is in the trust pool and make sure the cert with theSerial Number (hex): 01FDA3EB6ECA75C888438B724BCFBC91 exit in the output.
ISR4451#sh crypto pki trustpool
CA Certificate
Status: Available
Certificate Serial Number (hex): 01FDA3EB6ECA75C888438B724BCFBC91
Certificate Usage: Signature
Issuer:
cn=DigiCert Global Root CA
ou=www.digicert.com
o=DigiCert Inc
c=US
Subject:
cn=DigiCert SHA2 Secure Server CA
o=DigiCert Inc
c=US
CRL Distribution Points:
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
http://crl4.digicert.com/DigiCertGlobalRootCA.crl
Validity Date:
start date: 12:00:00 UTC Mar 8 2013
end date: 12:00:00 UTC Mar 8 2023
Associated Trustpoints: Trustpool
Trustpool: Downloaded
%OPENDNS-6-DEV_REG_CONFLICT
This error is seen when you try to register the ISR to another organization in the OpenDNS portal. Prior to registering to a new org. using a new token, the ISR needs to be deleted from the previous organization where it was registered.
*Mar 24 02:55:53.661: %OPENDNS-6-DEV_REG_CONFLICT: Device id is already assigned