I am running a PIX 525 firewall, with PIX software version 7.2.1. I am using the default global service-policy, and RADIUS packets are being dropped with a log message stating that the label length is exceeding 63 bytes. The log message (clip below) states that it is a DNS packet, but I know it is for RADIUS by the IP address of our RADIUS servers and the port number. How, can I change the packet inspection to stop dropping these packets? Are the RADIUS packets being misidentified as DNS packets?
Apr 25 17:04:22 cr1 Apr 25 2007 17:04:22: %PIX-4-410001: Dropped UDP DNS request from inside:X.X.X.X/1812 to outside:X.X.X.X/49196; label length 79 bytes exceeds protocol limit of 63 bytes
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...