I have a Cisco ASA using FQDN egress ACLs for a host that changes IP addresses every 10 mins (Apple APNS IP address pool). As soon as the TTL expires for the addresses, my internal server requests a new set of addresses and begins to use those. The ASA however, will not update the addresses for an additional minute due the minimum default DNS expire-entry-timer.
Therefore every 10 mins I get a one minute window of failed connections until the ASA updates it's IP address cache from the DNS. I have tried using
no expire-entry-timer minutes
but this just sets the timer back to the default minimum of 1 minute.
Is there a way to force the ASA to request an update as soon as the TTL expires, or disable the expire-entry-timer all together?
Best Answer
After doing some further research, it seams that currently it is not possible to either prevent the ASA from extending the TTL or to force the ASA to renew IP addresses when the original TTL expires. In fact, there is a bug submitted for this particular problem at the following link. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuq61154