Guest

Preview Tool

Cisco Bug: CSCvi11609 - DNS snooping not working for URL ACL after upgrade to 8.5 release

Last Modified

Aug 09, 2019

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

8.5(120.0)

Description (partial)

Symptom:
After upgrading to 8.5, it seems DNS snooping is broken, because randomly (most of the time), access to those URLs in the pre-auth ACL is not allowed, so the WLC redirects the client again to the initial Web-Auth login page when client tries to access one of the login pages that should be allowed per the pre-auth ACL URLs.

Confirmed from captures that DNS response is successful for the URL of the new web-server, however, from AP debugs it seems that the AP never receives the URLs from WLC, so it never performs DNS snooping, and hence, when client starts TCP HTTPS session with this new login web-server, it is redirected again, and stays in that loop...

Conditions:
Guest WLAN doing Web-Authentication against external Web-server, which has multiple login options to select, so when client selects one of the login options, another web-server is accessed for another login page, which finally allows client access (similar to CMX connect doing external Web-auth with social media logins, which need to be allowed in the pre-auth ACL at the WLC).

The pre-auth ACL is properly configured in the WLC with URLs (so doing DNS snooping).

Related Community Discussions

85MR3 Interim Build Availability
We are pleased to announce the fourth 85MR3 Interim (8.5.124.64) for production deployment.   Access Request :  http://cs.co/85MR3Interim (Within 24 hours automatic access to software download will be given)   Software Image Download : http://cs.co/85MR3imagerepository [NOTE: Please make sure to use Aspera Client to download files, if downloading for the first time from shares.cisco.com you will be prompted to install Aspera Client on top of Website]   Feedback Form :http://cs.co/85MR3Feedback   ...
Latest activity: May 27, 2018
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.