×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DNS-INSPECTION DROPS PACKETS

Unanswered Question
Nov 2nd, 2010
User Badges:

Hi guys, I really appreciate somebody could help me.


I have an ASA 5520 Version 8.0(4) in my network with default inspection, suddenly many users where having RPC errors when they arrive to work and turn on their computers.


The users told us that they had changed their DNS configs, so we call the system guy  in that site and told us that they have update their Active directory servers to a windows 2008 R2, so we troubleshoot a little and we found that when we remove dns_preset_dns_map, the error dissapear. Could
somebody have any idea about this???




class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect dns preset_dns_map
class IPS
  ips inline fail-open
!
service-policy global_policy global


This is really a big problem because we have about 70 ASA with the same default inspection and there´s no problem.


If somebody could help, i would appreciate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Maykol Rojas Tue, 11/02/2010 - 12:09
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Hello!!!!!!!


I think I know the issue, Can you ask your Server administrator if they are using secure DNS? This will make the packet larger than the one configure by default.


You can increase the packet lenght


ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)#  parameters
ciscoasa(config-pmap-p)# message-length maximum


In version 8.2 or later you can put it as auto, but for this version you will have to set it manually.


Hope it helps.


Mike

Leonardo Fernan... Tue, 11/02/2010 - 12:29
User Badges:

thanks for the reply, i would ask for this information, but i really don´t have any idea why just in one ASA this problem appears and in the rest of them seems to be ok, anyway i don´t want to dissmiss anything of this update you are advising me.


I think this is the update you have in mind.


For enterprises operating Microsoft Server infrastructure, there are specific things needed in place before May 5th.

Windows Server 2008 and Windows Server 2008 R2 will support the new  DNSSEC implementation, but only if it is implemented.  It is an optional  choice during installation (see Microsoft’s “DNSSEC Deployment Guide,” published in October 2009).

There is only limited support for DNSSEC in Windows Server 2003 DNS.  Under the new DNSSEC, Windows 2003 can act as a secondary DNS server for an existing DNSSEC compliant zone.  Windows Server 2003  will cache the new, larger records but not perform cryptography,  authentication, or verification.  Only Windows Server 2008  implementations with DNSSEC implemented will provide full DNSSEC  support. For more information refer to the following Microsoft items:

There are other possible breakpoints for the DNSSEC response – namely  firewalls.  Older firewalls, and some newer ones, will drop UDP port 53  (DNS response) traffic larger than 512b by default.  For example, Cisco  PIX / ASA will not support DNSSEC through DNS inspection on versions  before 8.2.2.   Therefore,  IT leaders will have to disable DNS  inspection (not recommended) or if possible, migrate to ASA 8.2.2 or higher. SOHO routers may also be problematic if they proxy DNS.


Thanks

Maykol Rojas Tue, 11/02/2010 - 16:18
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

You got it!!!


Clients on inside networks with ASA version lower than 8.2.2 will have problems. ASA version 8.2.2 or higher have the DNS map as auto.


Hope this helps and let me know the results.


Thanks!


Mike

Leonardo Fernan... Wed, 11/10/2010 - 09:16
User Badges:

Hi, sorry for not answering this discussion earlier, we had upgraded to version 8.2(3) in our ASA, but the problem with the computers stills. We opened a TAC case and they are helping us.


I´ll update this discussion if we have some updates from cisco.

Maykol Rojas Wed, 11/10/2010 - 10:22
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Hello Luis,


Can I have the service request number, Ill take a look at it with the engineer.


Cheers.


Mike

Leonardo Fernan... Wed, 11/10/2010 - 10:40
User Badges:

The service request number is 615913549, we are seeing this issue with 'Abraham Hernandez (abhernan)'. He is helping us with this proyect.


Thanks.

Leonardo Fernan... Wed, 12/01/2010 - 09:39
User Badges:

sorry for not replying earlier, Cisco TAC send us some commands to do some test with our computers.


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

enable

config terminal

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  no dns-guard

  no id-mismatch

  no id-randomization

  no protocol-enforcement


  end



So I will reply the results,


Thanks

Actions

This Discussion