browse
Overview
This article is a continuation of Cisco Umbrella Integration For ISR4k deployment guide and is provided as a guide to aid troubleshooting registration issues, as well as problems with internal and external DNS resolution.
Registration and Certificate import
1 - Obtain your API Token from Umbrella Dashboard: Admin -> API Keys -> (create) Legacy Network Devices
2. Import the CA certificate to the ISR4k via CLI using either of the following methods:
Import from URL
Issue the command and allow ISR4k fetch the cert:
crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b
Import directly in terminal
Copy and paste the CA certificate (see attachment) using the command:
crypto pki trustpool import terminal
3. Enter the API token to ISR4k CLI using the command:
parameter-map type umbrella global
token XXXXXXXXXXXXXXXXXXXXXXXXXXXX
4. Bare minimum sample configuration on ISR4k:
interface GigabitEthernet0/0/0
ip address 192.168.50.249 255.255.255.252
ip nat outside
umbrella out
interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 192.168.8.254 255.255.255.0
ip nat inside
umbrella in odns_v10_5
Note:
* The attached intermediate cert of "DigiCert TLS RSA SHA256 2020 CA1" is required in newer version of IOS-XE, this is for Device registration against api.opendns.com
* Ensure you configure the "umbrella out" before "umbrella in" command.
Registration will be successful only when port 443 is in an open state and allows the traffic to pass through any existing firewall.
* In older IOS XE Denali version, opendns command is used instead of umbrella.
Verifying the certificate import and device registration
1. Verify if the CA certificate has been stored successfully on the ISR4k device:
a. If the certificate import was done using the URL, issue the command dir nvram:
to verify that the ios.p7b certificate is successfully stored in the device NVRAM.
b. If the certificate import was done using the copy/paste method, run the command show cry pki trustpool
and verify the serial number and cn of the certificate:
2. To verify successful registration of the ISR4k run the command show umbrella deviceid
Sample output:
Dashboard output:
Debugging & Logging
- Verify ISR4k version:
show version
orshow platform
(required Cisco IOS XE Denali 16.3 or newer) - Enable device registration debug logs: "
debug umbrella device-registration"
then "show logging"
(to disable -no debug umbrella device-registration
)
Below are some sample logs:
Certificate missing:
Jun 13 04:05:32.639: %OPENDNS-3-SSL_HANDSHAKE_FAILURE: SSL handshake failed
Certificate installed and device is successfully registered:
*%PKI-6-TRUSTPOOL_DOWNLOAD_SUCCESS: Trustpool Download is successful
*%OPENDNS-6-DEV_REG_SUCCESS: Device id for interface/tag GigabitEthernet0/0/1/odns_v10_5 is 010a0e4bc14
Api.opendns.com is not resolvable:
*%UMBRELLA-3-DNS_RES_FAILURE: Failed to resolve name api.opendns.com Retry attempts:0
- Verify DNS resolution: There is no 'dig' or 'nslookup' command available on ISR4k. It is best use "
ping hostname source interface #"
from the ISR4k CLI - ISR with VRF configured on the interface, make sure you have "
ip name-server vrf <vrf_name> <dns_server_ip>
" configured and verify with "ping vrf <vrf_name> api.opendns.com"
- Ensure "ip dns server" is configured - this allows the ISR to be queried directly.
- To disable DNSCrypt:
parameter-map type umbrella global > no dnscrypt
- Internal domain verification: Run the command
show umbrella config
and look for the Local Domain Regex, example:show umbrella config
> Local Domain Regex parameter-map: dns bypassshow run | be dns_bypass
show platform hardware qfp active feature dns-snoop-agent client hw-pattern-list
- Unable to import certificate using URL or certificate imported using terminal is getting deleted after reboot:
crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b
% Error: failed to open file.
% No certificates imported from http://www.cisco.com/security/pki/trs/ios.p7b.
Workaround: manually download "ios.p7b" cert bundle via curl and copy to the Router's flash > Clear existing certificate from pool > Import "ios.p7b" cert bundle from flash:
Show run | sec crypto pki
crypto pki certificate pool
cabundle nvram:Trustpool15.cer
crypto pki trustpool clean
crypto pki trustpool import url flash:ios.p7b
Reading file from bootflash:ios.p7b
% PEM files import succeeded.