This article is a continuation of Cisco Umbrella Integration For ISR4k deployment guide and is provided as a guide to aid troubleshooting registration issues, as well as problems with internal and external DNS resolution.
Registration and Certificate import
1 - Obtain your API Token from Umbrella Dashboard: Deployments -> Admin -> API Keys -> (create) Legacy Network Devices
2. Import the CA certificate to the ISR4k via CLI using either of the following methods:
Import from URL
Issue the command and allow ISR4k fetch the cert:
crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b
Import directly in terminal
Copy and paste the CA certificate (see attachment) using the command:
crypto pki trustpool import terminal
3. Enter the API token to ISR4k CLI using the command:
parameter-map type umbrella global
4. Bare minimum sample configuration on ISR4k:
interface GigabitEthernet0/0/0 ip nat outside
ip address 192.168.50.249 255.255.255.252
ip nat outside
encapsulation dot1Q 10
ip address 192.168.8.254 255.255.255.0
ip nat inside
umbrella in odns_v10_5
Verifying the certificate import and device registration
1. Verify if the CA certificate has been stored successfully on the ISR4k device:
a. If the certificate import was done using the URL, issue the command
dir nvram: to verify that the ios.p7b certificate is successfully stored in the device NVRAM.
b. If the certificate import was done using the copy/paste method, run the command
show cry pki trustpool and verify the serial number and cn of the certificate:
2. To verify successful registration of the ISR4k run the command
show umbrella deviceid
Debugging & Logging
- Verify ISR4k version:
show platform(required Cisco IOS XE Denali 16.3 or newer)
- Enable device registration debug logs: "
debug opendns device-registration"then "
show logging"(to disable -
no debug opendns device-registration)
Below are some sample logs:
Jun 13 04:05:32.639: %OPENDNS-3-SSL_HANDSHAKE_FAILURE: SSL handshake failed
Certificate installed and device is successfully registered:
*%PKI-6-TRUSTPOOL_DOWNLOAD_SUCCESS: Trustpool Download is successful
*%OPENDNS-6-DEV_REG_SUCCESS: Device id for interface/tag GigabitEthernet0/0/1/odns_v10_5 is 010a0e4bc14
Api.opendns.com is not resolvable:
*%UMBRELLA-3-DNS_RES_FAILURE: Failed to resolve name api.opendns.com Retry attempts:0
- Verify DNS resolution: There is no 'dig' or 'nslookup' command available on ISR4k. It is best use "
ping hostname source interface #"from the ISR4k CLI
- ISR with VRF configured on the interface, make sure you have "
ip name-server vrf <vrf_name> <dns_server_ip>" configured and verify with "
ping vrf <vrf_name> api.opendns.com"
- Ensure "ip dns server" is configured - this allows the ISR to be queried directly.
- To disable DNSCrypt:
parameter-map type umbrella global > no dnscrypt
- Internal domain verification: Run the command
show opendns configand look for the Local Domain Regex, example:
show opendns config> Local Domain Regex parameter-map: dns bypass
show run | be dns_bypass
show platform hardware qfp active feature dns-snoop-agent client hw-pattern-list