Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

DNS-INSPECTION DROPS PACKETS

Hi guys, I really appreciate somebody could help me.

I have an ASA 5520 Version 8.0(4) in my network with default inspection, suddenly many users where having RPC errors when they arrive to work and turn on their computers.

The users told us that they had changed their DNS configs, so we call the system guy  in that site and told us that they have update their Active directory servers to a windows 2008 R2, so we troubleshoot a little and we found that when we remove dns_preset_dns_map, the error dissapear. Could
somebody have any idea about this???

class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect dns preset_dns_map
class IPS
  ips inline fail-open
!
service-policy global_policy global

This is really a big problem because we have about 70 ASA with the same default inspection and there´s no problem.

If somebody could help, i would appreciate

7 REPLIES
Cisco Employee

Re: DNS-INSPECTION DROPS PACKETS

Hello!!!!!!!

I think I know the issue, Can you ask your Server administrator if they are using secure DNS? This will make the packet larger than the one configure by default.

You can increase the packet lenght

ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)#  parameters
ciscoasa(config-pmap-p)# message-length maximum

In version 8.2 or later you can put it as auto, but for this version you will have to set it manually.

Hope it helps.

Mike

Mike

Re: DNS-INSPECTION DROPS PACKETS

thanks for the reply, i would ask for this information, but i really don´t have any idea why just in one ASA this problem appears and in the rest of them seems to be ok, anyway i don´t want to dissmiss anything of this update you are advising me.

I think this is the update you have in mind.

For enterprises operating Microsoft Server infrastructure, there are specific things needed in place before May 5th.

Windows Server 2008 and Windows Server 2008 R2 will support the new  DNSSEC implementation, but only if it is implemented.  It is an optional  choice during installation (see Microsoft’s “DNSSEC Deployment Guide,” published in October 2009).

There is only limited support for DNSSEC in Windows Server 2003 DNS.  Under the new DNSSEC, Windows 2003 can act as a secondary DNS server for an existing DNSSEC compliant zone.  Windows Server 2003  will cache the new, larger records but not perform cryptography,  authentication, or verification.  Only Windows Server 2008  implementations with DNSSEC implemented will provide full DNSSEC  support. For more information refer to the following Microsoft items:

There are other possible breakpoints for the DNSSEC response – namely  firewalls.  Older firewalls, and some newer ones, will drop UDP port 53  (DNS response) traffic larger than 512b by default.  For example, Cisco  PIX / ASA will not support DNSSEC through DNS inspection on versions  before 8.2.2.   Therefore,  IT leaders will have to disable DNS  inspection (not recommended) or if possible, migrate to ASA 8.2.2 or higher. SOHO routers may also be problematic if they proxy DNS.

Thanks

Cisco Employee

Re: DNS-INSPECTION DROPS PACKETS

You got it!!!

Clients on inside networks with ASA version lower than 8.2.2 will have problems. ASA version 8.2.2 or higher have the DNS map as auto.

Hope this helps and let me know the results.

Thanks!

Mike

Mike

Re: DNS-INSPECTION DROPS PACKETS

Hi, sorry for not answering this discussion earlier, we had upgraded to version 8.2(3) in our ASA, but the problem with the computers stills. We opened a TAC case and they are helping us.

I´ll update this discussion if we have some updates from cisco.

Cisco Employee

Re: DNS-INSPECTION DROPS PACKETS

Hello Luis,

Can I have the service request number, Ill take a look at it with the engineer.

Cheers.

Mike

Mike

Re: DNS-INSPECTION DROPS PACKETS

The service request number is 615913549, we are seeing this issue with 'Abraham Hernandez (abhernan)'. He is helping us with this proyect.

Thanks.

Re: DNS-INSPECTION DROPS PACKETS

sorry for not replying earlier, Cisco TAC send us some commands to do some test with our computers.

enable

config terminal

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  no dns-guard

  no id-mismatch

  no id-randomization

  no protocol-enforcement

  end

So I will reply the results,

Thanks

3291
Views
0
Helpful
7
Replies
CreatePlease to create content