Wierd ASA issue

Unanswered Question
May 28th, 2009
User Badges:

Today I had a client call and tell me that their domain controllers could not resolve DNS out to the internet. They were looking at the syslog of the ASA and saw it blocking their servers outbound on DNS. I looked at it and didn't see anything and they said everything was fine. They have a MARS, so I looked in their and found that the domain controllers had been blocked outbound for DNS. The ACL is on the inside interface allowing those two servers outbound for DNS and it's above any deny rule. It's like the ASA built a dynamic ACL rule and started blocking those servers from resolving DNS. I have never had this happen before in all the installs of the ASA's. The device is running 8(0)4.

TIA for any help/ideas.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dcambron Thu, 05/28/2009 - 10:18
User Badges:
  • Cisco Employee,

Is your Client using IPS? Take a look to your customer configuration and make sure that there is not a shun command in the ASA

Kureli Sankar Fri, 05/29/2009 - 17:49
User Badges:
  • Cisco Employee,

We really need to see the syslogs that you are talking about.

Did someone apply an outbound acl blocking these in the egress interface?

sh run threat

and see if it is enabled and if that could have caused any issues.

Is the dns server using pat or static to go out to the internet?

What did the xlate look like at the time of the problem?

sh xlate debug | i x.x.x.x where x.x.x.x is the ip address of the dns server


This Discussion