Forum Discussion
HTTP error 503, DNS lookup failed
Hi
I have BIG-IP APM setup configured with Oauth2.0, get following error.
01490290:3: /Common/exampleAP:Common:b6e14800:/Common/exampleAP_act_oauth_client_ag: OAuth Client: failed for server '/Common/example_server' using 'authorization_code' grant type (client_id=exampleID), error: HTTP error 503, DNS lookup failed
I believe I setup name servers correctly, when I try from CLI everything works fine no problem running CURL commands to the same domain address. Is there command line way to validate the DNS configuration? Even when I try to discover for end points, I see no issue reading it and updating all required end points.
But at runtime it fails with 503 error, does the BIG-IP uses management interface for connecting to outside network because this is the only interface we are allowed to connect outside. Any help would be appreciated.
Thanks
Madhava
I was able to fix the issue by creating a new Dns Rsolver and Name server. Thanks AubreyKingF5 "front-side APM interface has a route to that IP" gave some clue for the direction.
Thanks
Madhava
- madhavaAltocumulus
I was able to fix the issue by creating a new Dns Rsolver and Name server. Thanks AubreyKingF5 "front-side APM interface has a route to that IP" gave some clue for the direction.
Thanks
Madhava
- AubreyKingF5Moderator
always happy to help!
I have this exact error and have been grappling with it all week. DNS is in place and resolves all hostnames. Our Oauth traffic uses route domain 0 to reach Azure with no issues. We've tried both a non-default partition and Common partition. Tested nslookup from CLI and everything seems fine.
Does the DNS resolver need have Forwad zones in place? My DNS resolver IPs are the same DNS servers as the main BigIP. When we do try to create a Forwad Zone and use (.) as a forwad zone we get an error "nullGeneral database error." Does this need to be configured only on cli?
"OAuthClientToAzureAD_act_oauth_client_ag: OAuth Client: failed for server '/AzureAD_Server' using 'authorization_code' grant type (client_id=XXXXXXXXXXXXXXXXXXXXXX), error: HTTP error 503, DNS lookup failed.
I have tried everything recommended in this link - Error Message: 01490290:3: OAuth Client: failed for server error: HTTP error 503 <error message> (f5.com) regarding the DNS resolver
Why would we still get this error despite DNS working fine on the BigIP? Does i matter that I see 100% Misses in the DNS Resolver client cache?- AubreyKingF5Moderator
So, if you ping -I (your external interface name, as seen in 'ifconfig') to the address of the DNS server, you get responses? Your OAuth DNS requests will be coming out the front side interface - so, from your SNAT IP (usually) or VIP.. not management, as your digs and nslookups would use.
Aubrey
- AubreyKingF5Moderator
Control plane traffic, like bash or tmsh, will use the management interface, yes. Is the management DNS not set to recurse? If it CAN recurse, then it can get an IP for the name and, as long as the front-side APM interface has a route to that IP, you should be good.
Some DNS admins shut off or restrict recursion because recursive DNS is VERY easy to overwhelm, externally via NXDOMAIN attacks, and can really easily shut down internal DNS resources. I've known lots of internal DNS admins who have an allowlist of domains to trust for recursion - like OKTA makes total sense - but they need to populate that allowlist, usually by some IT request or such.
Also, I'm assuming you did this already: https://my.f5.com/manage/s/article/K13205
- madhavaAltocumulus
Thanks AubreyKingF5 Yes I already did https://my.f5.com/manage/s/article/K13205 .
Actually I am trying to network capture on 53, but I am not seeing any DNS queries coming out of BIG-IP except on mgmt interface (OAuth token validation does not go through mgmt as confirmed by you earlier), what could be wrong? I am new to the product and administartion , any help would be appreciated. Yes management DNS is enabled for recurse.
Thanks
Madhava
- JHDUKEAltostratus
For what it's worth, I was able to resolve this by adding a forwarding zone to my defined DNS Resolver.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com