Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
0
Helpful
2
Replies

Wierd ASA issue

deyster94
Level 5
Level 5

‎05-28-2009 09:59 AM - last edited on ‎03-25-2019 05:42 PM by Community Manager

Today I had a client call and tell me that their domain controllers could not resolve DNS out to the internet. They were looking at the syslog of the ASA and saw it blocking their servers outbound on DNS. I looked at it and didn't see anything and they said everything was fine. They have a MARS, so I looked in their and found that the domain controllers had been blocked outbound for DNS. The ACL is on the inside interface allowing those two servers outbound for DNS and it's above any deny rule. It's like the ASA built a dynamic ACL rule and started blocking those servers from resolving DNS. I have never had this happen before in all the installs of the ASA's. The device is running 8(0)4.

TIA for any help/ideas.

Dan

Labels:
0 Helpful
2 Replies 2

dcambron
Level 1
Level 1

‎05-28-2009 10:18 AM

Is your Client using IPS? Take a look to your customer configuration and make sure that there is not a shun command in the ASA

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee

‎05-29-2009 05:49 PM

We really need to see the syslogs that you are talking about.

Did someone apply an outbound acl blocking these in the egress interface?

sh run threat

and see if it is enabled and if that could have caused any issues.

Is the dns server using pat or static to go out to the internet?

What did the xlate look like at the time of the problem?

sh xlate debug | i x.x.x.x where x.x.x.x is the ip address of the dns server

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card