PIX Firewall Packet Inspection RADIUS/DNS Problem

Unanswered Question
Apr 26th, 2007


I am running a PIX 525 firewall, with PIX software version 7.2.1. I am using the default global service-policy, and RADIUS packets are being dropped with a log message stating that the label length is exceeding 63 bytes. The log message (clip below) states that it is a DNS packet, but I know it is for RADIUS by the IP address of our RADIUS servers and the port number. How, can I change the packet inspection to stop dropping these packets? Are the RADIUS packets being misidentified as DNS packets?

Apr 25 17:04:22 cr1 Apr 25 2007 17:04:22: %PIX-4-410001: Dropped UDP DNS request from inside:X.X.X.X/1812 to outside:X.X.X.X/49196; label length 79 bytes exceeds protocol limit of 63 bytes

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sbilgi Wed, 05/02/2007 - 11:03

Match the RADIUS packets with ACLS and apply it in Modular Policy map configuration to customise in order to allow and inspect the RADIUS packets.


This Discussion