05-30-2008 03:39 AM - edited 03-11-2019 05:52 AM
Hi all
I have the following set up (as per diagram) and wheni try to issue nslookup command for the webserver from the linux box in vlan 40 (212.xx.xx.xx/29) i get a response from the outside interface of Ralph rather than the dns server 3.45 in Vlan 1. the resolv.conf in linux has the correct nameserver to query so thats ok but when i run the packet tracer, from the dms interface (connect to vlan 40) to the inside interface (vlan1) although the packet gets through it is then dropped with the following message:
(inspect-dns-invalid-pak) DNS Inspect invalid packet. Any ideas? Also, looks like it has something to do with the Service Policy rules, can someone explain what this is?
Regards
06-05-2008 05:32 AM
I think this problem with DNS due to a misconfiguration on the internal DNS server not with any other device please check DNS configuration.
06-05-2008 05:59 AM
Maybe you can change the length in the default inspection on the firewall from 512 to something higher.
You could also check the capture command (or a packet sniffer) to see exactly what kind of DNS request is being generated.
This is the description of this error from Cisco:
"inspect-dns-invalid-pak
DNS Inspect invalid packet
This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.
Recommendation: None.
System log messages: None. "
This can be seen by the 'show asp drop' command (which is also checked by the packet-tracer).
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide