Cisco Umbrella - ISR4k integration troubleshooting guide

Overview

This article is a continuation of Cisco Umbrella Integration For ISR4k deployment guide and is provided as a guide to aid troubleshooting registration issues, as well as problems with internal and external DNS resolution.

Registration and Certificate import

2. Import the CA certificate to the ISR4k via CLI using either of the following methods:

Import from URL
Issue the command and allow ISR4k fetch the cert: 

crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

Import directly in terminal
Copy and paste the CA certificate (see attachment) using the command: 

crypto pki trustpool import terminal

3. Enter the API token to ISR4k CLI using the command: 

parameter-map type umbrella global
token XXXXXXXXXXXXXXXXXXXXXXXXXXXX

4. Bare minimum sample configuration on ISR4k: 

interface GigabitEthernet0/0/0
ip address 192.168.50.249 255.255.255.252
ip nat outside
umbrella out

interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 192.168.8.254 255.255.255.0
ip nat inside
umbrella in odns_v10_5

Verifying the certificate import and device registration

1. Verify if the CA certificate has been stored successfully on the ISR4k device:

a. If the certificate import was done using the URL, issue the command dir nvram: to verify that the ios.p7b certificate is successfully stored in the device NVRAM. 

b. If the certificate import was done using the copy/paste method, run the command show cry pki trustpool and verify the serial number and cn of the certificate:

2. To verify successful registration of the ISR4k run the command show umbrella deviceid
Sample output:

Dashboard output:

Debugging & Logging

• Verify ISR4k version: show version or show platform  (required Cisco IOS XE Denali 16.3 or newer) 
• Enable device registration debug logs: "debug umbrella device-registration" then "show logging" (to disable - no debug umbrella device-registration)
  
  Below are some sample logs:

Certificate missing: 
Jun 13 04:05:32.639: %OPENDNS-3-SSL_HANDSHAKE_FAILURE: SSL handshake failed

Certificate installed and device is successfully registered:
*%PKI-6-TRUSTPOOL_DOWNLOAD_SUCCESS: Trustpool Download is successful
*%OPENDNS-6-DEV_REG_SUCCESS: Device id for interface/tag GigabitEthernet0/0/1/odns_v10_5 is 010a0e4bc14

Api.opendns.com is not resolvable:
*%UMBRELLA-3-DNS_RES_FAILURE: Failed to resolve name api.opendns.com Retry attempts:0

• Verify DNS resolution: There is no 'dig' or 'nslookup' command available on ISR4k.  It is best use "ping hostname source interface #" from the ISR4k CLI
• ISR with VRF configured on the interface, make sure you have "ip name-server vrf <vrf_name> <dns_server_ip>" configured and verify with "ping vrf <vrf_name> api.opendns.com"
• Ensure "ip dns server" is configured - this allows the ISR to be queried directly.
• To disable DNSCrypt: parameter-map type umbrella global > no dnscrypt
• Internal domain verification: Run the command show umbrella config and look for the Local Domain Regex, example:
  • show umbrella config > Local Domain Regex parameter-map: dns bypass
  • show run | be dns_bypass
  • show platform hardware qfp active feature dns-snoop-agent client hw-pattern-list
• Unable to import certificate using URL or certificate imported using terminal is getting deleted after reboot:

crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

% Error: failed to open file.

% No certificates imported from http://www.cisco.com/security/pki/trs/ios.p7b.

Workaround: manually download "ios.p7b" cert bundle via curl and copy to the Router's flash > Clear existing certificate from pool > Import "ios.p7b" cert bundle from flash:

Show run | sec crypto pki

crypto pki certificate pool

cabundle nvram:Trustpool15.cer

crypto pki trustpool clean

crypto pki trustpool import url flash:ios.p7b

Reading file from bootflash:ios.p7b

% PEM files import succeeded.