Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DNS Queries packets dropped

Hi all

I have the following set up (as per diagram) and wheni try to issue nslookup command for the webserver from the linux box in vlan 40 (212.xx.xx.xx/29) i get a response from the outside interface of Ralph rather than the dns server 3.45 in Vlan 1. the resolv.conf in linux has the correct nameserver to query so thats ok but when i run the packet tracer, from the dms interface (connect to vlan 40) to the inside interface (vlan1) although the packet gets through it is then dropped with the following message:

(inspect-dns-invalid-pak) DNS Inspect invalid packet. Any ideas? Also, looks like it has something to do with the Service Policy rules, can someone explain what this is?



Re: DNS Queries packets dropped

I think this problem with DNS due to a misconfiguration on the internal DNS server not with any other device please check DNS configuration.

Re: DNS Queries packets dropped

Maybe you can change the length in the default inspection on the firewall from 512 to something higher.

You could also check the capture command (or a packet sniffer) to see exactly what kind of DNS request is being generated.

This is the description of this error from Cisco:


DNS Inspect invalid packet

This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.

Recommendation: None.

System log messages: None. "

This can be seen by the 'show asp drop' command (which is also checked by the packet-tracer).



СоздатьДля создания публикации, пожалуйста в систему