Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FWSM 3.2(1) dns reply get denied after remove the HSRP

We have FWSM 3.2(1) context in transparent mode w/o failover but with HSRP for the L3 vlan. We have 10.10.73.1 as the virtual ip, and 10.10.73.2-3 as HSRP ips. previously, the 10.10.73.3 HSRP vlan interface is shutdown. and everything is working fine.

Yesterday, we try to remove the HSRP, we changed the HSRP ip of 10.10.73.2 to 10.10.73.1, and removed all HSRP related configuration. Suddenly, we knocked off the clients behind the context.

The error message is

%FWSM-2-106007: Deny inbound UDP from 192.168.8.8/53 to 10.10.73.248/1410 due to DNS Response

We tried to remove inspect dns 512, no help. Put permit host any 53 any from outside interface in, no help.

I knew 3.2(1) is vulnerable to the ACE corruption bug, but it's just so wired that it just started after we change the HSRP from real to vip.

Any insight?

196
Views
0
Helpful
0
Replies