Cisco Bug: CSCvi11609 - DNS snooping not working for URL ACL after upgrade to 8.5 release
Sep 15, 2019
- Cisco 5500 Series Wireless Controllers
Known Affected Releases
Symptom: After upgrading to 8.5, it seems DNS snooping is broken, because randomly (most of the time), access to those URLs in the pre-auth ACL is not allowed, so the WLC redirects the client again to the initial Web-Auth login page when client tries to access one of the login pages that should be allowed per the pre-auth ACL URLs. Confirmed from captures that DNS response is successful for the URL of the new web-server, however, from AP debugs it seems that the AP never receives the URLs from WLC, so it never performs DNS snooping, and hence, when client starts TCP HTTPS session with this new login web-server, it is redirected again, and stays in that loop... Conditions: Guest WLAN doing Web-Authentication against external Web-server, which has multiple login options to select, so when client selects one of the login options, another web-server is accessed for another login page, which finally allows client access (similar to CMX connect doing external Web-auth with social media logins, which need to be allowed in the pre-auth ACL at the WLC). The pre-auth ACL is properly configured in the WLC with URLs (so doing DNS snooping).
Related Community Discussions
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases