I keep seeing the following error messages on FWSM.
106007: Deny inbound UDP from rs-dc2/53 to fs-secweb001/1026 due to DNS Response
Both servers are are on sperate interfaces. rs-dc2 is a windows 2003 server and fs-secweb001 is a web server that is on a vlan with a security level less than the inside but greater than the outside interfaces.
There is no access list stopping traffic and the security should allow the communication (i.e. high to low).
Your particular message is due to the DNS inspection within the FWSM. Basically rs-dc2 is a DNS server and your web server is sending DNS requests to it (and to another external server). The FWSM monitors these requests and only allows one DNS response per request. Another DNS server has already answered this request from the web server, and so the slower response from rs-dc2 is being dropped.
Nothing to worry about, but if you don't want it to happen you can turn off the DNS inspection and it'll go away.
I tried to turn of DNS inspection, is configured using a policy map on the FWSM. Below is what is configured for the policy map
inspect h323 h225
inspect h323 ras
Would either of the following commands help?
To specify the number of times to retry the list of DNS servers when the FWSM does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.
dns retries number
no dns retries [number]
To specify the amount of time to wait before trying the next DNS server, use the dns timeout command in global configuration mode. To restore the default timeout, use the no form of this command.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :