Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IPS Module in ASA and DNS

Ok.....once again you'll have to bare with me as i'm not too familiar with this stuff and am consulting the professionals in here

for advice.

Here is my dilemma.   I have a pair of 5520 ASA's that work in a stateful failover scenario.   Within these ASA's, there is an IPS module.

We also have a URL filter (smartfilter) to which we filter http requests.  

For quite a while now, we will get random rejects on normal web requests.   The reason being that DNS doesn't resolve the name and therefore sends

the IP address to the URL filter in which we deny IP addresses.  Therefore getting the stop page from the filter.  We only allow select URL NAMES.  

So your probably wondering why i would post this in the IPS forum.   Well, this doesn't occur all the time, it's random and I can't recreate it on demand

and i'm looking for possible solutions or causes.   In my little troubleshooting process I came across the firewall logs and it is showing alot of these type

of messages:

               

5162011/10/31 08:52:41.835 CDTx.x.x.x%ASA-4-507003: tcp flow from inside:x.x.x.x/1161 to outside:x.x.x.x/80 terminated by inspection engine, reason - inspector reset unconditionally.
5212011/10/31 08:52:44.304 CDTx.x.x.x%ASA-6-106015: Deny TCP (no connection) from x.x.x.x/1161 to x.x.x.x/80 flags FIN ACK on interface inside

Now i'm a little unsure what is going on with line 516 and whether or not this could be my cause of failed dns resolutions?    Line 521 nearly always comes

after the tcp flow message.   So could this be my issue?   And if so.....how do i go about resolving it?

Here is what I have in the config of the ASA regarding the IPS:

         

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect dns migrated_dns_map_1

class IPS-class

  ips promiscuous fail-open

!

service-policy global_policy global

Again, your help is greatly appreciated.   Thanks in advance!!!

1 REPLY
Gold

IPS Module in ASA and DNS

The two ASA syslogs you posted were both from an internal host to port 80 on an external host. This would indicate that a sucessful DNS resolution has occured in these two instances.

If the cause of your problem is bad DNS lookups, you should see evidence in your AIP-SSM event log of the packets being dropped.

- Bob

735
Views
0
Helpful
1
Replies
CreatePlease to create content