Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
5
Helpful
2
Replies

Error message on FWSM module

jimmy-mcintyre
Level 1
Level 1

‎09-10-2007 08:18 AM - edited ‎03-11-2019 04:08 AM

I keep seeing the following error messages on FWSM.

106007: Deny inbound UDP from rs-dc2/53 to fs-secweb001/1026 due to DNS Response

Both servers are are on sperate interfaces. rs-dc2 is a windows 2003 server and fs-secweb001 is a web server that is on a vlan with a security level less than the inside but greater than the outside interfaces.

There is no access list stopping traffic and the security should allow the communication (i.e. high to low).

Any ideas?

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎09-10-2007 10:08 PM

Syslog messages are all detailed in the documentation here (look for message 106007):

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/system/message/fwsm_log.html

Your particular message is due to the DNS inspection within the FWSM. Basically rs-dc2 is a DNS server and your web server is sending DNS requests to it (and to another external server). The FWSM monitors these requests and only allows one DNS response per request. Another DNS server has already answered this request from the web server, and so the slower response from rs-dc2 is being dropped.

Nothing to worry about, but if you don't want it to happen you can turn off the DNS inspection and it'll go away.

jimmy-mcintyre
Level 1
Level 1
In response to gfullage

‎09-10-2007 11:58 PM

I tried to turn of DNS inspection, is configured using a policy map on the FWSM. Below is what is configured for the policy map

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

Would either of the following commands help?

dns retries

To specify the number of times to retry the list of DNS servers when the FWSM does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.

dns retries number

no dns retries [number]

dns timeout

To specify the amount of time to wait before trying the next DNS server, use the dns timeout command in global configuration mode. To restore the default timeout, use the no form of this command.

dns timeout seconds

no dns timeout [seconds]

Many thanks for the help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card