SD-WAN

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

ECOS version:  9.3.7.0_96892

Original Message:
Sent: Sep 05, 2025 05:11 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Original Message:
Sent: Sep 05, 2025 04:46 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

ECOS version:  9.3.7.0_96892

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

ECOS version:  9.3.7.0_96892

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

There is another DNS related fix (77502) present from 9.4.3.3 so you may have confirmed an upgrade will help in your test. Sounds positive!

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

ECOS version:  9.3.7.0_96892

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

Ok I think the OS could be the root source of the issue indeed !

Many thanks CG for your help and quick response !

There is another DNS related fix (77502) present from 9.4.3.3 so you may have confirmed an upgrade will help in your test. Sounds positive!

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

ECOS version:  9.3.7.0_96892

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

Ok I think the OS could be the root source of the issue indeed !

Many thanks CG for your help and quick response !

There is another DNS related fix (77502) present from 9.4.3.3 so you may have confirmed an upgrade will help in your test. Sounds positive!

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

ECOS version:  9.3.7.0_96892

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

had the same issue. if you run show dns cache on any version of 9.4.3.x your be met with the following output

% An internal error occurred. 

Only fix will be 9.4.4.2 + as was confirmed to me by Aruba there will be no 9.4.3.8

Ok I think the OS could be the root source of the issue indeed !

Many thanks CG for your help and quick response !

There is another DNS related fix (77502) present from 9.4.3.3 so you may have confirmed an upgrade will help in your test. Sounds positive!

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

ECOS version:  9.3.7.0_96892

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

Hi Matthew,

Interestingly I have this "% An internal error occurred" output on the ECs with ECOS 9.4.3.5_99663 but which I don't have the FQDNs issue, and I don't have the output bug on the one with ECOS 9.3.7.0_96892 but which has the FQDNs issue.

had the same issue. if you run show dns cache on any version of 9.4.3.x your be met with the following output

% An internal error occurred. 

Only fix will be 9.4.4.2 + as was confirmed to me by Aruba there will be no 9.4.3.8

Ok I think the OS could be the root source of the issue indeed !

Many thanks CG for your help and quick response !

There is another DNS related fix (77502) present from 9.4.3.3 so you may have confirmed an upgrade will help in your test. Sounds positive!

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

ECOS version:  9.3.7.0_96892

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

Hello,

Our partner has updated the Edgeconnects to the 9.4.3.5_99663 version, it worked during a while, doing the resolutions correctly.

But recently it's again doing the same issue, not resolving the IPs to FQDNs for certain destinations, and then our ACL is not working, as it's filtering to domains.

Hi Matthew,

Interestingly I have this "% An internal error occurred" output on the ECs with ECOS 9.4.3.5_99663 but which I don't have the FQDNs issue, and I don't have the output bug on the one with ECOS 9.3.7.0_96892 but which has the FQDNs issue.

had the same issue. if you run show dns cache on any version of 9.4.3.x your be met with the following output

% An internal error occurred. 

Only fix will be 9.4.4.2 + as was confirmed to me by Aruba there will be no 9.4.3.8

Ok I think the OS could be the root source of the issue indeed !

Many thanks CG for your help and quick response !

There is another DNS related fix (77502) present from 9.4.3.3 so you may have confirmed an upgrade will help in your test. Sounds positive!

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

ECOS version:  9.3.7.0_96892

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

Ah maybe you need to move to 9.4.4.2 or 9.4.5 onwards after all. 

Original Message:
Sent: Oct 13, 2025 04:38 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

Our partner has updated the Edgeconnects to the 9.4.3.5_99663 version, it worked during a while, doing the resolutions correctly.

But recently it's again doing the same issue, not resolving the IPs to FQDNs for certain destinations, and then our ACL is not working, as it's filtering to domains.

Original Message:
Sent: Sep 05, 2025 05:54 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hi Matthew,

Interestingly I have this "% An internal error occurred" output on the ECs with ECOS 9.4.3.5_99663 but which I don't have the FQDNs issue, and I don't have the output bug on the one with ECOS 9.3.7.0_96892 but which has the FQDNs issue.

Original Message:
Sent: Sep 05, 2025 05:44 AM
From: smithmatt
Subject: SDWAN Orchestrator and Edgeconnects

had the same issue. if you run show dns cache on any version of 9.4.3.x your be met with the following output

% An internal error occurred. 

Only fix will be 9.4.4.2 + as was confirmed to me by Aruba there will be no 9.4.3.8

Original Message:
Sent: Sep 05, 2025 05:37 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Ok I think the OS could be the root source of the issue indeed !

Many thanks CG for your help and quick response !

Original Message:
Sent: Sep 05, 2025 05:29 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

There is another DNS related fix (77502) present from 9.4.3.3 so you may have confirmed an upgrade will help in your test. Sounds positive!

Original Message:
Sent: Sep 05, 2025 05:26 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

Original Message:
Sent: Sep 05, 2025 05:15 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

ECOS version:  9.3.7.0_96892

Original Message:
Sent: Sep 05, 2025 05:11 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Original Message:
Sent: Sep 05, 2025 04:46 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------

I've found the problem, this ECs is a hub and has a default 0.0.0.0/0 route to the core switch of the site, the DNS resolution was set with "any" interface, so when it was using the LAN interface the resolution was "redirected"

If I ping from the CLI without indicated interface I can see it's using management interface.

So I defined the DNS resolution using mgmt0 interface and now no more DNS resolution issue in the flows.

It was working with the other ECs because they are spokes without local default route and using loopback for DNS resolution.

Original Message:
Sent: Oct 13, 2025 04:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

Ah maybe you need to move to 9.4.4.2 or 9.4.5 onwards after all. 

Original Message:
Sent: Oct 13, 2025 04:38 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

Our partner has updated the Edgeconnects to the 9.4.3.5_99663 version, it worked during a while, doing the resolutions correctly.

But recently it's again doing the same issue, not resolving the IPs to FQDNs for certain destinations, and then our ACL is not working, as it's filtering to domains.

Original Message:
Sent: Sep 05, 2025 05:54 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hi Matthew,

Interestingly I have this "% An internal error occurred" output on the ECs with ECOS 9.4.3.5_99663 but which I don't have the FQDNs issue, and I don't have the output bug on the one with ECOS 9.3.7.0_96892 but which has the FQDNs issue.

Original Message:
Sent: Sep 05, 2025 05:44 AM
From: smithmatt
Subject: SDWAN Orchestrator and Edgeconnects

had the same issue. if you run show dns cache on any version of 9.4.3.x your be met with the following output

% An internal error occurred. 

Only fix will be 9.4.4.2 + as was confirmed to me by Aruba there will be no 9.4.3.8

Original Message:
Sent: Sep 05, 2025 05:37 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Ok I think the OS could be the root source of the issue indeed !

Many thanks CG for your help and quick response !

Original Message:
Sent: Sep 05, 2025 05:29 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

There is another DNS related fix (77502) present from 9.4.3.3 so you may have confirmed an upgrade will help in your test. Sounds positive!

Original Message:
Sent: Sep 05, 2025 05:26 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Something I just tested, with some other Edgeconnects, on ECOS 9.4.3.5_99663, the IP2 is correctly showing the FQDNs, so I wonder is it's not an issue with the OS indeed.

Original Message:
Sent: Sep 05, 2025 05:15 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

ECOS version:  9.3.7.0_96892

Original Message:
Sent: Sep 05, 2025 05:11 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

Interesting that the src domain was DNS snooped successfully, but not the destination.

Which version of ECOS are you running?

Original Message:
Sent: Sep 05, 2025 04:46 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Sorry I don't really get your message, here is what I get for the destinations which I have issues:

In the flows, I can see a lot of FQDNs in IP2

Example :

Original Message:
Sent: Sep 02, 2025 06:43 AM
From: CG
Subject: SDWAN Orchestrator and Edgeconnects

The flow details will always show IP addresses for IP1 and IP2, so that is expected.

For first packet classification, the EC would need to snoop DNS. Is the DNS server request and response also passing through the appliance? If not, your symptoms are expected. If you can get the DNS flows to route through the appliance, I would expect it to be able to place the flow into the correct overlay from first packet and show the 'First Packet Dst Domain' in flow details under the AVC/DNS tab, example below:

Original Message:
Sent: Sep 01, 2025 11:36 AM
From: Clem58
Subject: SDWAN Orchestrator and Edgeconnects

Hello,

We have a weird issue.

We are using ACLs for forwarding the traffic to a specific BIO, the ACL is using destination : domain and specific FQDNs, but it's not working.

After checking the traffic flows, we can see the destination is not an FQDNs but the resolved IP instead of. Hence that's why the ACL is not working as the condition is the destination FQDNs.

Why the Edgeconnects are not showing the FQDNs and use the IP for destinations ?

-------------------------------------------