Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Error message on FWSM module

I keep seeing the following error messages on FWSM.

106007: Deny inbound UDP from rs-dc2/53 to fs-secweb001/1026 due to DNS Response

Both servers are are on sperate interfaces. rs-dc2 is a windows 2003 server and fs-secweb001 is a web server that is on a vlan with a security level less than the inside but greater than the outside interfaces.

There is no access list stopping traffic and the security should allow the communication (i.e. high to low).

Any ideas?

Cisco Employee

Re: Error message on FWSM module

Syslog messages are all detailed in the documentation here (look for message 106007):

Your particular message is due to the DNS inspection within the FWSM. Basically rs-dc2 is a DNS server and your web server is sending DNS requests to it (and to another external server). The FWSM monitors these requests and only allows one DNS response per request. Another DNS server has already answered this request from the web server, and so the slower response from rs-dc2 is being dropped.

Nothing to worry about, but if you don't want it to happen you can turn off the DNS inspection and it'll go away.

New Member

Re: Error message on FWSM module

I tried to turn of DNS inspection, is configured using a policy map on the FWSM. Below is what is configured for the policy map

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

Would either of the following commands help?

dns retries

To specify the number of times to retry the list of DNS servers when the FWSM does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.

dns retries number

no dns retries [number]

dns timeout

To specify the amount of time to wait before trying the next DNS server, use the dns timeout command in global configuration mode. To restore the default timeout, use the no form of this command.

dns timeout seconds

no dns timeout [seconds]

Many thanks for the help

CreatePlease to create content