PIX Firewall Packet Inspection RADIUS/DNS Problem

Unanswered Question
Apr 26th, 2007
User Badges:


I am running a PIX 525 firewall, with PIX software version 7.2.1. I am using the default global service-policy, and RADIUS packets are being dropped with a log message stating that the label length is exceeding 63 bytes. The log message (clip below) states that it is a DNS packet, but I know it is for RADIUS by the IP address of our RADIUS servers and the port number. How, can I change the packet inspection to stop dropping these packets? Are the RADIUS packets being misidentified as DNS packets?

Apr 25 17:04:22 cr1 Apr 25 2007 17:04:22: %PIX-4-410001: Dropped UDP DNS request from inside:X.X.X.X/1812 to outside:X.X.X.X/49196; label length 79 bytes exceeds protocol limit of 63 bytes

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sbilgi Wed, 05/02/2007 - 11:03
User Badges:
  • Silver, 250 points or more

Match the RADIUS packets with ACLS and apply it in Modular Policy map configuration to customise in order to allow and inspect the RADIUS packets.


This Discussion