FWSM 3.2(1) dns reply get denied after remove the HSRP
We have FWSM 3.2(1) context in transparent mode w/o failover but with HSRP for the L3 vlan. We have 10.10.73.1 as the virtual ip, and 10.10.73.2-3 as HSRP ips. previously, the 10.10.73.3 HSRP vlan interface is shutdown. and everything is working fine.
Yesterday, we try to remove the HSRP, we changed the HSRP ip of 10.10.73.2 to 10.10.73.1, and removed all HSRP related configuration. Suddenly, we knocked off the clients behind the context.
The error message is
%FWSM-2-106007: Deny inbound UDP from 192.168.8.8/53 to 10.10.73.248/1410 due to DNS Response
We tried to remove inspect dns 512, no help. Put permit host any 53 any from outside interface in, no help.
I knew 3.2(1) is vulnerable to the ACE corruption bug, but it's just so wired that it just started after we change the HSRP from real to vip.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...