https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725395#M1013775 <P>Hi</P> <P>Have configured Firepower or are you just using ASA? Do you get any logs when the issue occurs?</P> Mon, 15 Oct 2018 09:04:45 GMT Martin Kling 2018-10-15T09:04:45Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725282#M1013772 <P>Hi all</P> <P>I am observing my firewall 5506-x&nbsp;since a month that after 2 or 3 days, firewall suddenly stop resolving&nbsp;DNS queries and all internet traffic stop. while in this situation IP communication remain OK which means i can ping/browse across the firewall but if i will reboot firewall then it will start working normally.</P> <P>any idea what is happening with&nbsp;firewall ?</P> <P>&nbsp;</P> <P>regards</P> Tue, 12 Mar 2019 14:01:53 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725282#M1013772 Zargham Haider 2019-03-12T14:01:53Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725344#M1013773 <P>Hi</P> <P>What code do you use? ASA, ASA + Firepower or FTD? What version?</P> Mon, 15 Oct 2018 07:38:44 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725344#M1013773 Martin Kling 2018-10-15T07:38:44Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725387#M1013774 <P>Hi&nbsp;Martin ...</P> <P>Thanks for reply..</P> <P>this is ASA 5506-x FirePOWER</P> <P>&nbsp;</P> <P># sh ver</P> <P>Cisco Adaptive Security Appliance Software Version 9.6(2)23<BR />Device Manager Version 7.6(1)</P> <P>Compiled on Thu 28-Sep-17 07:50 PDT by builders<BR />System image file is "disk0:/asa962-23-lfbff-k8.SPA"<BR />Config file at boot was "startup-config"</P> <P>ProjectFW up 3 days 23 hours</P> <P>Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)<BR />Internal ATA Compact Flash, 7168MB<BR />BIOS Flash N25P64 @ 0xfed01000, 16384KB</P> <P>Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)<BR /> Number of accelerators: 1</P> <P>1: Ext: GigabitEthernet1/1 : address is 2c5a.0f79.d225, irq 255<BR /> 2: Ext: GigabitEthernet1/2 : address is 2c5a.0f79.d226, irq 255<BR /> 3: Ext: GigabitEthernet1/3 : address is 2c5a.0f79.d227, irq 255<BR /> 4: Ext: GigabitEthernet1/4 : address is 2c5a.0f79.d228, irq 255<BR /> 5: Ext: GigabitEthernet1/5 : address is 2c5a.0f79.d229, irq 255<BR /> 6: Ext: GigabitEthernet1/6 : address is 2c5a.0f79.d22a, irq 255<BR /> 7: Ext: GigabitEthernet1/7 : address is 2c5a.0f79.d22b, irq 255<BR /> 8: Ext: GigabitEthernet1/8 : address is 2c5a.0f79.d22c, irq 255</P> Mon, 15 Oct 2018 08:59:25 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725387#M1013774 Zargham Haider 2018-10-15T08:59:25Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725395#M1013775 <P>Hi</P> <P>Have configured Firepower or are you just using ASA? Do you get any logs when the issue occurs?</P> Mon, 15 Oct 2018 09:04:45 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725395#M1013775 Martin Kling 2018-10-15T09:04:45Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725406#M1013776 <P>Hi Martin........</P> <P>I am just using Firewall services not FirePOWER....unfortunately i didn't copy logs. (Just configured syslog today.. ) right now firewall is working fine. One thing i want to share is....I think due to some&nbsp;strange activity ASA skips all ACL rules for DNS query and all dns queries fall in global deny list. because that specific time i checked packet trace which was denied by global acl list. but i am not able to find the reason why it happening like this. need your expert judgement here.</P> Mon, 15 Oct 2018 09:14:56 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725406#M1013776 Zargham Haider 2018-10-15T09:14:56Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725432#M1013777 <P>Can you mask you config and paste it here?</P> Mon, 15 Oct 2018 09:41:25 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725432#M1013777 Martin Kling 2018-10-15T09:41:25Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725469#M1013778 <P>Ok Martin...here is config file info</P> <P>&nbsp;</P> <P>!!</P> <P>!!</P> <P>!!</P> <P>: Saved</P> <P>&nbsp;</P> <P>:</P> <P>: Serial Number: XXXXXXXXXXX</P> <P>: Hardware:&nbsp;&nbsp; ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)</P> <P>:</P> <P>ASA Version 9.6(2)23</P> <P>!</P> <P>hostname ProjectFW</P> <P>domain-name abc.com</P> <P>enable password 7sI3Z.cdfer2iY encrypted</P> <P>passwd 7sI3Z.xcvfgt2iY encrypted</P> <P>names</P> <P>&nbsp;</P> <P>!</P> <P>interface GigabitEthernet1/1</P> <P>&nbsp;nameif outside</P> <P>&nbsp;security-level 0</P> <P>&nbsp;ip address x.x.x.x 255.255.255.0</P> <P>!</P> <P>interface GigabitEthernet1/2</P> <P>&nbsp;nameif inside</P> <P>&nbsp;security-level 100</P> <P>&nbsp;ip address 192.168.81.7 255.255.255.0</P> <P>&nbsp;dhcprelay server 192.168.81.25</P> <P>!</P> <P>interface GigabitEthernet1/3</P> <P>&nbsp;shutdown</P> <P>&nbsp;no nameif</P> <P>&nbsp;no security-level</P> <P>&nbsp;no ip address</P> <P>!</P> <P>interface GigabitEthernet1/4</P> <P>&nbsp;nameif Winside</P> <P>&nbsp;security-level 100</P> <P>&nbsp;ip address 192.168.83.7 255.255.255.0</P> <P>!</P> <P>interface GigabitEthernet1/5</P> <P>&nbsp;shutdown</P> <P>&nbsp;no nameif</P> <P>&nbsp;no security-level</P> <P>&nbsp;no ip address</P> <P>!</P> <P>interface GigabitEthernet1/6</P> <P><SPAN>shutdown</SPAN>&nbsp;</P> <P>nameif xxx_Outside</P> <P>&nbsp;security-level 0</P> <P>&nbsp;ip address&nbsp;x.x.x.x 255.255.255.252</P> <P>!</P> <P>interface GigabitEthernet1/7</P> <P>&nbsp;shutdown</P> <P>&nbsp;no nameif</P> <P>&nbsp;no security-level</P> <P>&nbsp;no ip address</P> <P>!</P> <P>interface GigabitEthernet1/8</P> <P>&nbsp;shutdown</P> <P>&nbsp;no nameif</P> <P>&nbsp;no security-level</P> <P>&nbsp;no ip address</P> <P>!</P> <P>interface Management1/1</P> <P>&nbsp;management-only</P> <P>&nbsp;no nameif</P> <P>&nbsp;no security-level</P> <P>&nbsp;no ip address</P> <P>!</P> <P>boot system disk0:/asa962-23-lfbff-k8.SPA</P> <P>ftp mode passive</P> <P>dns domain-lookup inside</P> <P>dns server-group DefaultDNS</P> <P>&nbsp;name-server 192.168.81.25 inside</P> <P>&nbsp;domain-name abc.com</P> <P>same-security-traffic permit inter-interface</P> <P>same-security-traffic permit intra-interface</P> <P>object network obj_any</P> <P>&nbsp;subnet 0.0.0.0 0.0.0.0</P> <P>object network Printer_192.168.81.31_Plotter</P> <P>&nbsp;host 192.168.81.31</P> <P>&nbsp;description Plotter</P> <P>object network Printer_192.168.81.36_xxx</P> <P>&nbsp;host 192.168.81.36</P> <P>&nbsp;description xxxx</P> <P>object network Printer_192.168.81.47_xxx</P> <P>&nbsp;host 192.168.81.47</P> <P>&nbsp;description xxx Printer</P> <P>object network Printer_192.168.81.41_xxx</P> <P>&nbsp;host 192.168.81.41</P> <P>&nbsp;description xxxx</P> <P>object network Printer_192.168.81.45_xxxx</P> <P>&nbsp;host 192.168.81.45</P> <P>&nbsp;description xxxx</P> <P>object network Printer_192.168.81.48_xxxx</P> <P>&nbsp;host 192.168.81.48</P> <P>&nbsp;description xxxx</P> <P>object network Printer_192.168.81.42_xxxx</P> <P>&nbsp;host 192.168.81.42</P> <P>&nbsp;description xxxx</P> <P>object network Printer_192.168.81.43_xxxx</P> <P>&nbsp;host 192.168.81.43</P> <P>&nbsp;description xxxx</P> <P>object-group service Syslog udp</P> <P>&nbsp;port-object eq syslog</P> <P>access-list inside_access_in extended permit udp object-group DM_INLINE_NETWORK_2 any object-group DM_INLINE_UDP_1 log disable</P> <P>access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.81.0 255.255.255.0 object-group ApprovedDNSServer</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 any object-group DM_INLINE_TCP_16 log disable</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 object sftp.norc.org eq ssh</P> <P>access-list inside_access_in extended permit object-group TCP-UDP 192.168.81.0 255.255.255.0 any object-group DM_INLINE_TCPUDP_1</P> <P>access-list inside_access_in extended permit ip object Server_xxx any</P> <P>access-list inside_access_in extended permit ip object-group NoRestrictionSource_aaa any log disable</P> <P>access-list inside_access_in extended permit ip object-group NoRestrictionSource_IT_Team any log disable</P> <P>access-list inside_access_in extended permit ip object-group NoRestrictionSource_aaaa any log disable</P> <P>access-list inside_access_in extended permit ip object-group Server_Live any</P> <P>access-list inside_access_in extended deny ip object-group Restricted_IPs any log disable</P> <P>access-list inside_access_in extended permit ip object-group NoRestrictionSources any</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 any object-group DM_INLINE_TCP_14</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 any object-group DM_INLINE_TCP_8</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 any object-group ApplePushNotificationService</P> <P>access-list inside_access_in extended permit tcp any object-group Printers object-group Printer_TCP</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 any object-group DM_INLINE_TCP_15</P> <P>access-list inside_access_in extended permit ip 192.168.81.0 255.255.255.0 192.168.83.0 255.255.255.0 inactive</P> <P>access-list inside_access_in extended permit icmp 192.168.81.0 255.255.255.0 any</P> <P>access-list inside_access_in extended permit udp 192.168.81.0 255.255.255.0 any eq ntp</P> <P>access-list inside_access_in extended permit tcp object Server_MigrationManager_81.199 any object-group DM_INLINE_TCP_18 inactive</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 any object-group DM_INLINE_TCP_9</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 any object-group DM_INLINE_TCP_5</P> <P>access-list inside_access_in extended permit udp any any object-group WhatsApp_UDP</P> <P>access-list inside_access_in extended permit object-group TCP-UDP any any object-group XMPP</P> <P>access-list inside_access_in extended permit tcp 192.168.81.0 255.255.255.0 any object-group DM_INLINE_TCP_7 inactive</P> <P>access-list inside_access_in extended permit ip 192.168.81.0 255.255.255.0 object-group GoodServers</P> <P>access-list inside_access_in extended deny ip any object-group Blocked_Addresses</P> <P>access-list inside_access_in extended deny object-group TCP-UDP any any object-group Torrent</P> <P>access-list inside_access_in extended deny ip object-group Blocked_Sources any</P> <P>access-list inside_access_in extended deny object-group TCP-UDP 192.168.81.0 255.255.255.0 any object-group HotspotShield</P> <P>access-list inside_access_in extended deny ip any any</P> <P>access-list Winside_access_in extended permit udp 192.168.83.0 255.255.255.0 any object-group DM_INLINE_UDP_2</P> <P>access-list Winside_access_in extended permit object-group DM_INLINE_SERVICE_6 192.168.83.0 255.255.255.0 object Server_xxx</P> <P>access-list Winside_access_in extended permit udp 192.168.83.0 255.255.255.0 object-group Printers object-group Printer_HP_Ports</P> <P>access-list Winside_access_in extended permit tcp 192.168.83.0 255.255.255.0 192.168.81.0 255.255.255.0 object-group DM_INLINE_TCP_13</P> <P>access-list Winside_access_in extended permit tcp object-group xxx object-group DM_INLINE_NETWORK_4 object-group xxx</P> <P>access-list Winside_access_in extended permit tcp 192.168.83.0 255.255.255.0 object-group ApprovedDNSServer eq domain</P> <P>access-list Winside_access_in extended permit ip object-group NoRestrictionSources any</P> <P>access-list Winside_access_in extended permit tcp 192.168.83.0 255.255.255.0 object-group Printers object-group Printer_TCP</P> <P>access-list Winside_access_in extended permit icmp any any</P> <P>access-list Winside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Server_xxx inactive</P> <P>access-list Winside_access_in extended permit object-group DM_INLINE_SERVICE_4 192.168.83.0 255.255.255.0 any inactive</P> <P>access-list outside_access_in extended permit object-group ICMP any any</P> <P>access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1</P> <P>access-list outside_access_in extended permit tcp any object aaa_x.x.x.x_ object-group DM_INLINE_TCP_2</P> <P>access-list outside_access_in extended permit tcp any object aab_x.x.x.x object-group DM_INLINE_TCP_3</P> <P>access-list outside_access_in extended permit tcp any object aac_x.x.x.x object-group DM_INLINE_TCP_4</P> <P>access-list inboundSurvey extended permit icmp any any object-group DM_INLINE_ICMP_1</P> <P>access-list inboundSurvey extended permit tcp any object xxx_Interface_Outside object-group DM_INLINE_TCP_12</P> <P>access-list OUTSIDE-IN extended permit icmp any any</P> <P>access-list outside_access_Out extended permit tcp any4 object xxx object-group DM_INLINE_TCP_10</P> <P>access-list outside_access_Out extended permit tcp any4 object Server_MigrationManager_81.199 object-group DM_INLINE_TCP_0</P> <P>access-list outside_access_Out extended permit ip object-group xxx object xxx_81.29</P> <P>access-list outside_access_Out extended permit object-group DM_INLINE_SERVICE_7 any4 object xxx</P> <P>access-list outside_access_Out extended permit object-group DM_INLINE_SERVICE_0 any4 object xxx</P> <P>access-list outside_access_Out extended permit icmp object-group DM_INLINE_NETWORK_3 any inactive</P> <P>access-list outside_access_Out extended permit icmp any any</P> <P>access-list outside_access_Out extended deny ip any any</P> <P>access-list x_Outsite_access_in extended permit icmp any any</P> <P>access-list xxx-THROTTLE extended permit ip object Server_xxx any</P> <P>access-list xxxx-THROTTLE extended permit ip any object Server_xxx inactive</P> <P>access-list&nbsp;xxx extended permit tcp 192.168.83.0 255.255.255.0 any object-group DM_INLINE_TCP_17</P> <P>pager lines 24</P> <P>logging enable</P> <P>logging timestamp</P> <P>logging trap critical</P> <P>logging asdm informational</P> <P>logging host inside 192.168.81.x</P> <P>no logging message 106015</P> <P>no logging message 313001</P> <P>no logging message 313008</P> <P>no logging message 106023</P> <P>no logging message 710003</P> <P>no logging message 106100</P> <P>no logging message 302015</P> <P>no logging message 302014</P> <P>no logging message 302013</P> <P>no logging message 302018</P> <P>no logging message 302017</P> <P>no logging message 302016</P> <P>no logging message 302021</P> <P>no logging message 302020</P> <P>flow-export destination inside 192.168.81.17 9996</P> <P>flow-export delay flow-create 15</P> <P>mtu outside 1500</P> <P>mtu inside 1500</P> <P>mtu Winside 1500</P> <P>mtu NTL_Outside 1500</P> <P>icmp unreachable rate-limit 1 burst-size 1</P> <P>no asdm history enable</P> <P>arp timeout 14400</P> <P>no arp permit-nonconnected</P> <P>arp rate-limit 16384</P> <P>nat (inside,outside) source dynamic any interface dns</P> <P>nat (Winside,inside) source dynamic any interface dns</P> <P>!</P> <P>object network aaa</P> <P>&nbsp;nat (inside,outside) static interface service tcp 3389 3389</P> <P>object network aab</P> <P>&nbsp;nat (inside,outside) static xxx</P> <P>object network aac</P> <P>&nbsp;nat (inside,outside) static xxx</P> <P>object network aad</P> <P>&nbsp;nat (inside,outside) static xxx</P> <P>object network aae</P> <P>&nbsp;nat (inside,outside) static xxx</P> <P>access-group outside_access_Out in interface outside</P> <P>access-group inside_access_in in interface inside</P> <P>access-group Winside_access_in in interface Winside</P> <P>access-group x Outsite_access_in in interface xxx Outside</P> <P>!</P> <P>route-map xxx permit 10</P> <P>&nbsp;match ip address xxx</P> <P>&nbsp;set ip next-hop x.x.x.x</P> <P>&nbsp;</P> <P>!</P> <P>route-map xxx permit 20</P> <P>&nbsp;</P> <P>!</P> <P>route outside 0.0.0.0 0.0.0.0 x.x.x.x 1</P> <P>timeout xlate 3:00:00</P> <P>timeout pat-xlate 0:00:30</P> <P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02</P> <P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P> <P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P> <P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P> <P>timeout tcp-proxy-reassembly 0:01:00</P> <P>timeout floating-conn 0:00:00</P> <P>timeout conn-holddown 0:00:15</P> <P>user-identity default-domain LOCAL</P> <P>aaa authentication ssh console LOCAL</P> <P>http server enable</P> <P>http 192.168.1.0 255.255.255.0 inside</P> <P>http 192.168.81.0 255.255.255.0 inside</P> <P>snmp-server host inside 192.168.81.x community *****</P> <P>no snmp-server location</P> <P>no snmp-server contact</P> <P>snmp-server community *****</P> <P>service sw-reset-button</P> <P>crypto ipsec security-association pmtu-aging infinite</P> <P>crypto ca trustpool policy</P> <P>telnet 192.168.81.0 255.255.255.0 inside</P> <P>telnet timeout 30</P> <P>ssh stricthostkeycheck</P> <P>ssh timeout 5</P> <P>ssh key-exchange group dh-group1-sha1</P> <P>console timeout 0</P> <P>&nbsp;</P> <P>dhcpd domain abc.com</P> <P>!</P> <P>dhcpd address 192.168.83.30-192.168.83.245 Winside</P> <P>dhcpd dns 192.168.81.25 interface Winside</P> <P>dhcpd option 3 ip 192.168.83.253 interface Winside</P> <P>dhcpd option 6 ip 192.168.81.25 interface Winside</P> <P>!</P> <P>dhcprelay server 192.168.81.25 inside</P> <P>dhcprelay enable Winside</P> <P>dhcprelay timeout 160</P> <P>threat-detection basic-threat</P> <P>threat-detection scanning-threat shun except object-group NoRestrictionSource_IT_Team</P> <P>threat-detection scanning-threat shun except object-group NoRestrictionSource_xx</P> <P>threat-detection scanning-threat shun except object-group NoRestrictionSource_xx</P> <P>threat-detection scanning-threat shun except object-group NoRestrictionSources</P> <P>threat-detection scanning-threat shun except object-group NoShunnGroup</P> <P>threat-detection scanning-threat shun duration 1800</P> <P>threat-detection statistics host number-of-rate 3</P> <P>threat-detection statistics port number-of-rate 3</P> <P>threat-detection statistics protocol number-of-rate 3</P> <P>threat-detection statistics access-list</P> <P>threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200</P> <P>dynamic-access-policy-record DfltAccessPolicy</P> <P>username xxx password 2dMuEBodaRTg/ojQ encrypted privilege 15</P> <P>username xxx password rFMCRvdj4RRRNLzF encrypted privilege 15</P> <P>username xxx password cmyrcWm5arRxckSs encrypted privilege 15</P> <P>!</P> <P>class-map global-class-NetFlow</P> <P>&nbsp;match any</P> <P>class-map CM-xxx-THROTTLE</P> <P>&nbsp;match access-list xxx-THROTTLE</P> <P>class-map inspection_default</P> <P>&nbsp;match default-inspection-traffic</P> <P>!</P> <P>!</P> <P>policy-map type inspect dns preset_dns_map</P> <P>&nbsp;parameters</P> <P>&nbsp; message-length maximum client auto</P> <P>&nbsp; message-length maximum 512</P> <P>&nbsp; no tcp-inspection</P> <P>policy-map PM-xxx-THROTTLE</P> <P>&nbsp;class CM-xxx-THROTTLE</P> <P>&nbsp; police input 4000000 4000</P> <P>&nbsp; police output 4000000 4000</P> <P>policy-map global_policy</P> <P>&nbsp;class inspection_default</P> <P>&nbsp; inspect dns preset_dns_map</P> <P>&nbsp; inspect ftp</P> <P>&nbsp; inspect h323 h225</P> <P>&nbsp; inspect h323 ras</P> <P>&nbsp; inspect rsh</P> <P>&nbsp; inspect rtsp</P> <P>&nbsp; inspect esmtp</P> <P>&nbsp; inspect sqlnet</P> <P>&nbsp; inspect skinny&nbsp;</P> <P>&nbsp; inspect sunrpc</P> <P>&nbsp; inspect xdmcp</P> <P>&nbsp; inspect sip&nbsp;</P> <P>&nbsp; inspect netbios</P> <P>&nbsp; inspect tftp</P> <P>&nbsp; inspect ip-options</P> <P>&nbsp;class global-class-NetFlow</P> <P>&nbsp; flow-export event-type all destination 192.168.81.17</P> <P>&nbsp;class class-default</P> <P>&nbsp; user-statistics accounting</P> <P>policy-map global-policy</P> <P>&nbsp;class inspection_default</P> <P>&nbsp; inspect icmp</P> <P>&nbsp; inspect icmp error</P> <P>!</P> <P>service-policy global_policy global</P> <P>service-policy PM-xxx-THROTTLE interface inside</P> <P>prompt hostname context</P> <P>no call-home reporting anonymous</P> <P>hpm topN enable</P> <P>Cryptochecksum:0d74e8c37dxxxxxxxe6d6166105</P> <P>: end</P> <P>no asdm history enable</P> <P>&nbsp;</P> Mon, 15 Oct 2018 11:26:37 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3725469#M1013778 Zargham Haider 2018-10-15T11:26:37Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3726067#M1013779 <P>Hi,</P> <P>Normally wouldn't configuration issues cause working functions to stop working as they wouldn't work from the beginning. But I see that you have a lot of functions enabled like netflow, route maps, threat inspection etc enabled. Normally you are more exposed to hitting bugs with the more functions you enable. You are also running a code that no longer is downloadable.</P> <P>&nbsp;</P> <P>My suggestion would be to upgrade the firewall to 9.6.4 or 9.8.2 (both last interim release) that have fixes for various bugs like memory leaks (which could explain your issues) alon with monitoring the logs on your syslog server</P> <P>Best regards,</P> <P>Martin</P> Tue, 16 Oct 2018 06:54:53 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3726067#M1013779 Martin Kling 2018-10-16T06:54:53Z https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3726257#M1013780 <P>Hi Martin,</P> <P>&nbsp;</P> <P>Thanks for your reply....</P> <P>Actually you are right.... this was Memory leak bug. i found&nbsp;the solution. this is&nbsp;<FONT size="3"><STRONG>Cisco Bug: CSCvd71473</STRONG>. it relates to DNS memory leak "</FONT><FONT size="3">slow memory leak when using many DNS queries". This issue is seen whenever a DNS query gets resolved on ASA. We could see a small amount of memory leak (around 64 Bytes with each DNS query getting resolved) on ASA.</FONT></P> <P><FONT size="3">for detailed information please read this Bug info:</FONT></P> <P><A href="https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd71473" target="_blank"><FONT size="3">https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd71473</FONT></A></P> <P>&nbsp;Now i must look for latest codes as you said.</P> <P>&nbsp;</P> Tue, 16 Oct 2018 11:18:18 GMT https://community.cisco.com/t5/network-security/firewall-5506-x-blocking-all-dns-queries/m-p/3726257#M1013780 Zargham Haider 2018-10-16T11:18:18Z