I have BIG-IP APM setup configured with Oauth2.0, get following error.
01490290:3: /Common/exampleAP:Common:b6e14800:/Common/exampleAP_act_oauth_client_ag: OAuth Client: failed for server '/Common/example_server' using 'authorization_code' grant type (client_id=exampleID), error: HTTP error 503, DNS lookup failed
I believe I setup name servers correctly, when I try from CLI everything works fine no problem running CURL commands to the same domain address. Is there command line way to validate the DNS configuration? Even when I try to discover for end points, I see no issue reading it and updating all required end points.
But at runtime it fails with 503 error, does the BIG-IP uses management interface for connecting to outside network because this is the only interface we are allowed to connect outside. Any help would be appreciated.
Solved! Go to Solution.
Control plane traffic, like bash or tmsh, will use the management interface, yes. Is the management DNS not set to recurse? If it CAN recurse, then it can get an IP for the name and, as long as the front-side APM interface has a route to that IP, you should be good.
Some DNS admins shut off or restrict recursion because recursive DNS is VERY easy to overwhelm, externally via NXDOMAIN attacks, and can really easily shut down internal DNS resources. I've known lots of internal DNS admins who have an allowlist of domains to trust for recursion - like OKTA makes total sense - but they need to populate that allowlist, usually by some IT request or such.
Also, I'm assuming you did this already: https://my.f5.com/manage/s/article/K13205
Actually I am trying to network capture on 53, but I am not seeing any DNS queries coming out of BIG-IP except on mgmt interface (OAuth token validation does not go through mgmt as confirmed by you earlier), what could be wrong? I am new to the product and administartion , any help would be appreciated. Yes management DNS is enabled for recurse.