Showing results for 
Search instead for 
Did you mean: 

WSAM DNS resolution with multiple dns suffix seams wrong

Occasional Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

I will try to reformulate what I feel may be a bug.


JTAC tells me "if you declare WSAM destination resource with their shortname, and you have check the IP based matching option then you will be able to access your destination resource using the shortname only. This is because WSAM will first check the resource profile ACL first and if it find a matching entry it will then try to resolve the hostname into an IP."


But this is not what I am seeing in practice. I am declaring my WSAM destination resource using their shortname. When I try to access my resource through WSAM it always works with the shortname and it also works with the FQDN in some cases (which is not the behavior that JTAC presented to me).


We noticed that the use case to resolve shortname and FQDN of a resource is always the same. When the destination resource you try to reach is declared in the first domain zone of the IVE domain suffix list you will be able to resolve its shortname and FQDN as well.


Moreover, the IVE admin guide state that when you are using WSAM, all DNS resolution is handled by the IVE unless you check the option "Resolve only host names with domain suffixes in the device DNS domains" . I have made several tests with the option ON and OFF and my results are the same. I am trying to resolve internal hostname so the option will make no difference in my case.


Yesterday I discussed with JTAC and they finally stated that using shortname is simply not recommended because "well, hmmmm.... sometimes it works sometimes it does not work".

I would have appreciate a response like "ok, there is something wrong, unfortunately we won't be able to fix this but we will change the admin guide so it will be clearer" but this is not what happened.


I do not consider the JTAC answer as an acceptable answer, I am working with Juniper product from 10 years now and it is the first time the JTAC act like this. I am pretty disapointed.


Anyway, now I know that the best way to declare WSAM destination resource is to use the IP address but I lost 2 weeks on this for nothing.


Best regards,

Thank you to the community who replied to this post.


Occasional Contributor

Re: WSAM DNS resolution with multiple dns suffix seams wrong

WOOOOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I've finally have an answer from a JTAC engineer saying that the space between the suffixs is messing around the configuration.


Indeed, it is written in the IVE GUI to declare dns suffix "coma space" separated but when testing with "coma no space" it solved the issue.


I'm going to confirm this with my colleagues but it seems to work.