Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4810
Views
0
Helpful
7
Replies

DNS-INSPECTION DROPS PACKETS

Leonardo Fernando Monzon Luis
Level 1
Level 1

‎11-02-2010 10:44 AM - edited ‎03-11-2019 12:03 PM

Hi guys, I really appreciate somebody could help me.

I have an ASA 5520 Version 8.0(4) in my network with default inspection, suddenly many users where having RPC errors when they arrive to work and turn on their computers.

The users told us that they had changed their DNS configs, so we call the system guy  in that site and told us that they have update their Active directory servers to a windows 2008 R2, so we troubleshoot a little and we found that when we remove dns_preset_dns_map, the error dissapear. Could
somebody have any idea about this???

class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect dns preset_dns_map
class IPS
  ips inline fail-open
!
service-policy global_policy global

This is really a big problem because we have about 70 ASA with the same default inspection and there´s no problem.

If somebody could help, i would appreciate

Labels:
0 Helpful
7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

‎11-02-2010 12:09 PM

Hello!!!!!!!

I think I know the issue, Can you ask your Server administrator if they are using secure DNS? This will make the packet larger than the one configure by default.

You can increase the packet lenght

ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)#  parameters
ciscoasa(config-pmap-p)# message-length maximum

In version 8.2 or later you can put it as auto, but for this version you will have to set it manually.

Hope it helps.

Mike

Mike
0 Helpful

Leonardo Fernando Monzon Luis
Level 1
Level 1
In response to Maykol Rojas

‎11-02-2010 12:29 PM

thanks for the reply, i would ask for this information, but i really don´t have any idea why just in one ASA this problem appears and in the rest of them seems to be ok, anyway i don´t want to dissmiss anything of this update you are advising me.

I think this is the update you have in mind.

For enterprises operating Microsoft Server infrastructure, there are specific things needed in place before May 5th.

Windows Server 2008 and Windows Server 2008 R2 will support the new  DNSSEC implementation, but only if it is implemented.  It is an optional  choice during installation (see Microsoft’s “DNSSEC Deployment Guide,” published in October 2009).

There is only limited support for DNSSEC in Windows Server 2003 DNS.  Under the new DNSSEC, Windows 2003 can act as a secondary DNS server for an existing DNSSEC compliant zone.  Windows Server 2003  will cache the new, larger records but not perform cryptography,  authentication, or verification.  Only Windows Server 2008  implementations with DNSSEC implemented will provide full DNSSEC  support. For more information refer to the following Microsoft items:

There are other possible breakpoints for the DNSSEC response – namely  firewalls.  Older firewalls, and some newer ones, will drop UDP port 53  (DNS response) traffic larger than 512b by default.  For example, Cisco  PIX / ASA will not support DNSSEC through DNS inspection on versions  before 8.2.2.   Therefore,  IT leaders will have to disable DNS  inspection (not recommended) or if possible, migrate to ASA 8.2.2 or higher. SOHO routers may also be problematic if they proxy DNS.

Thanks

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Leonardo Fernando Monzon Luis

‎11-02-2010 04:18 PM

You got it!!!

Clients on inside networks with ASA version lower than 8.2.2 will have problems. ASA version 8.2.2 or higher have the DNS map as auto.

Hope this helps and let me know the results.

Thanks!

Mike

Mike
0 Helpful

Leonardo Fernando Monzon Luis
Level 1
Level 1
In response to Maykol Rojas

‎11-10-2010 09:16 AM

Hi, sorry for not answering this discussion earlier, we had upgraded to version 8.2(3) in our ASA, but the problem with the computers stills. We opened a TAC case and they are helping us.

I´ll update this discussion if we have some updates from cisco.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Leonardo Fernando Monzon Luis

‎11-10-2010 10:22 AM

Hello Luis,

Can I have the service request number, Ill take a look at it with the engineer.

Cheers.

Mike

Mike
0 Helpful

Leonardo Fernando Monzon Luis
Level 1
Level 1
In response to Maykol Rojas

‎11-10-2010 10:40 AM

The service request number is 615913549, we are seeing this issue with 'Abraham Hernandez (abhernan)'. He is helping us with this proyect.

Thanks.

0 Helpful

Leonardo Fernando Monzon Luis
Level 1
Level 1
In response to Leonardo Fernando Monzon Luis

‎12-01-2010 09:39 AM

sorry for not replying earlier, Cisco TAC send us some commands to do some test with our computers.

enable

config terminal

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  no dns-guard

  no id-mismatch

  no id-randomization

  no protocol-enforcement

  end

So I will reply the results,

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card