Symptom

On a Secure Firewall Threat Defense (FTD), the Domain Name Server (DNS) for the management interface (System Settings > DNS Server > Management Interface > DNS Group) may become unreachable, when specific conditions are in place. In this example, on an FDM-management FTD, a data interface is used as the gateway (System Settings > Management Interface > Use the Data Interfaces as the Gateway) and different DNS servers for the data and management interfaces are configured. The DNS server for the data interface is reachable via the inside interface: firewall# show run dns dns domain-lookup inside DNS server-group dns1 name-server 192.0.2.100 <======= DNS servers for data interface domain-name cisco.com DNS server-group dns2 name-server 198.51.100.100 dns-group dns1 <======= DNS servers for data interface The DNS server for the management interface is reachable via the outside interface on the data plane (Lina engine): > expert admin@firewall:~$ cat /etc/resolv.conf # /etc/resolv.conf # automatically generated by writeSystemConfigFile.sh ; do not edit # Tue Oct 24 07:05:04 UTC 2023 nameserver 198.51.100.100 <====== DNS server for management interface options timeout:2 admin@firewall:~$ exit logout > system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. firewall# show route 198.51.100.100 Routing entry for 198.51.100.100 255.255.255.255 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 203.0.113.111, via outside Route metric is 0, traffic share count is 1 Since a data interface is configured as the gateway, management DNS traffic is supposed be routed through the Lina engine between the internal nlp_int_tap and outside interfaces. The packet capture with the trace option on the nlp_int_tap interface shows DNS packet drops due the No valid adjacency reason: firewall# show capture capture capnlp type raw-data trace detail interface nlp_int_tap [Capturing - 918 bytes] match udp any any eq domain firewall# show capture capnlp packet-number 1 trace 11 packets captured 1: 07:16:58.921323 169.254.1.3.33860 > 198.51.100.100.53: udp 31 <======= 169.254.1.3 is the internal IP address for the management traffic Phase: 1 ... Phase: 2 ... Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Elapsed time: 2824 ns Config: nat (nlp_int_tap,inside) source dynamic nlp_client_0_0.0.0.0_17proto53_intf3 interface destination static nlp_client_0_ipv4_10 nlp_client_0_ipv4_10 service nlp_client_0_17svc53_9 nlp_client_0_17svc53_9 Additional Information: NAT divert to egress interface inside(vrfid:0) <======= Due to this NAT, packets are diverted to inside interface. Untranslate 198.51.100.100/53 to 198.51.100.100/53 ... Phase: 12 Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP Subtype: Resolve Preferred Egress interface Result: ALLOW Elapsed time: 2118 ns Config: Additional Information: Found next-hop 203.0.113.111 using egress ifc outside(vrfid:0) <===== route lookup returns outside interface for the DNS server Phase: 13 Type: SUBOPTIMAL-LOOKUP Subtype: suboptimal next-hop Result: ALLOW Elapsed time: 353 ns Config: Additional Information: Input route lookup returned ifc outside is not same as existing ifc inside <==== Suboptimal routing is detected Doing adjacency lookup on existing ifc inside Result: input-interface: nlp_int_tap(vrfid:0) input-status: up input-line-status: up output-interface: inside(vrfid:0) output-status: up output-line-status: up Action: drop Time Taken: 54712 ns Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000056083b21abbe flow (NA)/NA <====== Packet is dropped In the above example, due to system-configured destination NAT, the egress interface is inside>, whereas according to the routing table, the server 198.51.100.100 is reachable via the outside interface. This results in sub-optimal routing and drops due to No valid adjacency drop reason.

Conditions

First seen when all of the following conditions are in place: 1. FDM-managed FTD with a data interface used as the gateway (System Settings > Management Interface > Use the Data Interfaces as the Gateway). 2. Dedicated DNS servers are configured for the data and the management interfaces in (System Settings > DNS Server). 3. The DNS servers for data and management interfaces are reachable via different data plane interfaces. Other conditions may also exist.

Workaround

Use the same DNS server for data and management interfaces and ensure it is reachable via the same data plane interfaces.

Further Problem Description