Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

HTTP error 503, DNS lookup failed

Go to solution
madhava
Altocumulus
Altocumulus

‎26-Jul-2023 16:10

Hi

I have BIG-IP APM setup configured with Oauth2.0, get following error.

01490290:3: /Common/exampleAP:Common:b6e14800:/Common/exampleAP_act_oauth_client_ag: OAuth Client: failed for server '/Common/example_server' using 'authorization_code' grant type (client_id=exampleID), error: HTTP error 503, DNS lookup failed

I believe I setup name servers correctly, when I try from CLI everything works fine no problem running CURL commands to the same domain address. Is there command line way to validate the DNS configuration? Even when I try to discover for end points, I see no issue reading it and updating all required end points. 

madhava_0-1690412629758.png

But at runtime it fails with 503 error, does the BIG-IP uses management interface for connecting to outside network because this is the only interface we are allowed to connect outside. Any help would be appreciated.

Thanks

Madhava

Labels:
1 ACCEPTED SOLUTION

Go to solution
madhava
Altocumulus
Altocumulus

‎10-Aug-2023 10:55

I was able to fix the issue by creating a new Dns Rsolver and Name server. Thanks @AubreyKingF5 "front-side APM interface has a route to that IP" gave some clue for the direction.

 

Thanks

Madhava

View solution in original post

4 REPLIES 4

Go to solution
AubreyKingF5
Community Manager
Community Manager

‎27-Jul-2023 08:20 - edited ‎27-Jul-2023 08:30

Control plane traffic, like bash or tmsh, will use the management interface, yes.  Is the management DNS not set to recurse? If it CAN recurse, then it can get an IP for the name and, as long as the front-side APM interface has a route to that IP, you should be good.

Some DNS admins shut off or restrict recursion because recursive DNS is VERY easy to overwhelm, externally via NXDOMAIN attacks, and can really easily shut down internal DNS resources. I've known lots of internal DNS admins who have an allowlist of domains to trust for recursion - like OKTA makes total sense - but they need to populate that allowlist, usually by some IT request or such.

Also, I'm assuming you did this already: https://my.f5.com/manage/s/article/K13205

0 Kudos

Go to solution
madhava
Altocumulus
Altocumulus
In response to AubreyKingF5

‎27-Jul-2023 15:41

Thanks @AubreyKingF5 Yes I already did https://my.f5.com/manage/s/article/K13205 .

Actually I am trying to network capture on 53, but I am not seeing any DNS queries coming out of BIG-IP except on mgmt interface (OAuth token validation does not go through mgmt as confirmed by you earlier), what could be wrong? I am new to the product and administartion , any help would be appreciated. Yes management DNS is enabled for recurse.

Thanks

Madhava

0 Kudos

Go to solution
madhava
Altocumulus
Altocumulus

‎10-Aug-2023 10:55

I was able to fix the issue by creating a new Dns Rsolver and Name server. Thanks @AubreyKingF5 "front-side APM interface has a route to that IP" gave some clue for the direction.

 

Thanks

Madhava

Go to solution
AubreyKingF5
Community Manager
Community Manager
In response to madhava

‎11-Aug-2023 13:08

always happy to help!

0 Kudos
Copyright © 2023 Khoros, LLC