Hi guys, I really appreciate somebody could help me.
I have an ASA 5520 Version 8.0(4) in my network with default inspection, suddenly many users where having RPC errors when they arrive to work and turn on their computers.
The users told us that they had changed their DNS configs, so we call the system guy in that site and told us that they have update their Active directory servers to a windows 2008 R2, so we troubleshoot a little and we found that when we remove dns_preset_dns_map, the error dissapear. Could somebody have any idea about this???
class-map IPS match any class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect xdmcp inspect dns preset_dns_map class IPS ips inline fail-open ! service-policy global_policy global
This is really a big problem because we have about 70 ASA with the same default inspection and there´s no problem.
thanks for the reply, i would ask for this information, but i really don´t have any idea why just in one ASA this problem appears and in the rest of them seems to be ok, anyway i don´t want to dissmiss anything of this update you are advising me.
I think this is the update you have in mind.
For enterprises operating Microsoft Server infrastructure, there are specific things needed in place before May 5th.
Windows Server 2008 and Windows Server 2008 R2 will support the new DNSSEC implementation, but only if it is implemented. It is an optional choice during installation (see Microsoft’s “DNSSEC Deployment Guide,” published in October 2009).
There is only limited support for DNSSEC in Windows Server 2003 DNS. Under the new DNSSEC, Windows 2003 can act as a secondary DNS server for an existing DNSSEC compliant zone. Windows Server 2003 will cache the new, larger records but not perform cryptography, authentication, or verification. Only Windows Server 2008 implementations with DNSSEC implemented will provide full DNSSEC support. For more information refer to the following Microsoft items:
There are other possible breakpoints for the DNSSEC response – namely firewalls. Older firewalls, and some newer ones, will drop UDP port 53 (DNS response) traffic larger than 512b by default. For example, Cisco PIX / ASA will not support DNSSEC through DNS inspection on versions before 8.2.2. Therefore, IT leaders will have to disable DNS inspection (not recommended) or if possible, migrate to ASA 8.2.2 or higher. SOHO routers may also be problematic if they proxy DNS.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...