Bit of a strange one here...
ArubaOS: 6.1.3.8
I have a few netdestinations defined:
netdestination ocsp.digicert.com
name ocsp.digicert.com
!
netdestination api.mixpanel.com
network 198.23.64.0 255.255.255.224
!
netdestination google
name .googleapis.com
!
netdestination ocsp-geotrust
host 69.58.183.140
host 216.168.252.157
!
netdestination stripe
name .stripe.com
!
I have these attached to whitelist ACLs for the logon role, as they are meant to be allowed for captive portal guests before authentication.
DNS lookups are enabled on the controller:
ip domain lookup
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
It seems that the first time a guest tries to load a captive portal that references one of the netdestination name sites, the connection is blocked by the controller.
Reloading the page shows that the connection is getting through on the next attempt.
This seems to repeat itself quite a bit, as guests connect, and have their first attempt blocked, but subsequent attempts work without issue. The pump needs to be primed, so to speak.
Is this the correct behaviour? When does the Controller actually do a DNS lookup? On configuration? Or at runtime, when a packet is destined for a host with a name entry?
Is there a CLI command that would allow me to see what IP is currently mapped to a named host entry? (Besides 'show netdestination' as that doesn't show enough info... there are only placeholders)