Error message on FWSM module

Unanswered Question
Sep 10th, 2007
User Badges:

I keep seeing the following error messages on FWSM.

106007: Deny inbound UDP from rs-dc2/53 to fs-secweb001/1026 due to DNS Response

Both servers are are on sperate interfaces. rs-dc2 is a windows 2003 server and fs-secweb001 is a web server that is on a vlan with a security level less than the inside but greater than the outside interfaces.

There is no access list stopping traffic and the security should allow the communication (i.e. high to low).

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gfullage Mon, 09/10/2007 - 22:08
User Badges:
  • Cisco Employee,

Syslog messages are all detailed in the documentation here (look for message 106007):

Your particular message is due to the DNS inspection within the FWSM. Basically rs-dc2 is a DNS server and your web server is sending DNS requests to it (and to another external server). The FWSM monitors these requests and only allows one DNS response per request. Another DNS server has already answered this request from the web server, and so the slower response from rs-dc2 is being dropped.

Nothing to worry about, but if you don't want it to happen you can turn off the DNS inspection and it'll go away.

jimmy-mcintyre Mon, 09/10/2007 - 23:58
User Badges:

I tried to turn of DNS inspection, is configured using a policy map on the FWSM. Below is what is configured for the policy map

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

Would either of the following commands help?

dns retries

To specify the number of times to retry the list of DNS servers when the FWSM does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.

dns retries number

no dns retries [number]

dns timeout

To specify the amount of time to wait before trying the next DNS server, use the dns timeout command in global configuration mode. To restore the default timeout, use the no form of this command.

dns timeout seconds

no dns timeout [seconds]

Many thanks for the help


This Discussion