Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FWSM: rule on tcp/1089 breaks DNS lookups

A weird problem this time....

Yesterday i added a rule to the ACL on an outside interface of the FWSM (v3.1.1.). The rule was something like this:

access-list outside extended permit tcp any host aaa.bbb.ccc.ddd eq 1089

After that we got complaints about customers not being able to resolve DNS queries. DNS sits in a DMZ on the FWSM - they were not resolving any requests but i was able to ping the DNS.

Removing the rule solved the problem.

Anyone seen this before?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: FWSM: rule on tcp/1089 breaks DNS lookups

If your access-list uses object-groups, you may be seeing CSCse60868, where modifying an ACL w/object-groups can cause ACL corruption. If so, the problem went away not because you removed the new line per se, but because doing so caused a re-compile of the acl (thus fixing the corruption).

2 REPLIES
New Member

Re: FWSM: rule on tcp/1089 breaks DNS lookups

If your access-list uses object-groups, you may be seeing CSCse60868, where modifying an ACL w/object-groups can cause ACL corruption. If so, the problem went away not because you removed the new line per se, but because doing so caused a re-compile of the acl (thus fixing the corruption).

New Member

Re: FWSM: rule on tcp/1089 breaks DNS lookups

Yep, that could be it. Thanks for your reply!

Erik

273
Views
0
Helpful
2
Replies
CreatePlease to create content