ASA 5520 - External DNS Problems

smartin · ‎10-18-2010

Wanted to upgrade the ASA to version 8.2. Current ASA version is 7.0(8) - see below

Currently running AS 5520

Cisco Adaptive Security Appliance Software Version 7.0(8)

Device Manager Version 5.0(8)

to

Leased a ASA 5520

Cisco Adaptive Security Appliance Software Version 8.2(3)

Device Manager Version 6.3(4)

Leased a Cisco ASA 5520 with version 8.2 (3)

I basically copied the configuration from the current ASA to the new one. I placed the new ASA in place & started having external DNS problems, internal websites no problems.

All workstation point to several internal Windows 2003 DNS servers.

Placed a call with TAC, TAC looked at the ASA & could not come up with a solution. I place the old ASA back into place any everything works OK !

Any Ideas !!

nseshan · ‎10-18-2010

Hi,

Could you provide reference to the TAC SR number and also provide the config of your device if possible?

smartin · ‎10-18-2010

I sent you the SR case # & the configuration, thanks

Maykol Rojas · ‎10-18-2010

Hey,

Mike here, would you mind posting the SR number so I can check it really quick?

Cheers

Mike

smartin · ‎10-19-2010

SR: 615746171

Maykol Rojas · ‎10-19-2010

Hello,

I see the problem now. Would you be able to put the asa 5520 back and try to do queries from the DNS server?

Let me know.

Mike

smartin · ‎10-19-2010

Unfortunately I can't place the updated AS

A until Sunday morning, can you tell me what you think the problem is, thanks.

Maykol Rojas · ‎10-19-2010

Hey.

Between my thoughts is that either there is something different on the configuration, or any of the codes that you have may be running into a bug. Can you tell me the following?

What is the model of the old device?

What is the version of the old device and the version from the new device?

Cna you send me both configurations?

Something that I dont know if you tried was to try to do DNS lookups from your internal DNS server itself.

Will be waiting for your inputs.

Mike

smartin · ‎10-19-2010

I sent you the infomation, thanks

mirober2 · ‎10-19-2010

Hello,

If you post the santized information here it may help to get you an answer faster since there will be more available eyes to look at the problem.

As Mike mentioned above, you'll want to confirm that there were no unintended configuration changes when the ASAs were swapped. Also, you should verify the ARP tables on the clients, DNS server, and network devices that share a layer 2 broadcast domain with the ASA to make sure that they were successfully updated for the new hardware's MAC address.

Hope that helps.

-Mike

smartin · ‎10-19-2010

I took another approach to this problem. I placed the same ASA version 7.08 & configuration on the new ASA. I then updated from 7.08 to 7.1 to 7.2 then to 8.2 (3). I will be placing this in production on Friday morning. I will post my results late Friday morning.

Thanks

Maykol Rojas · ‎10-22-2010

Hello

Today is the day when you were going to put the firewall in production, please let me know if that worked for you, if not, I think it would be better to reopen the TAC case.

Cheers

Mike

smartin · ‎10-25-2010

Sorry for the delayed reply, yes that work, DNS problems resolverd !

Maykol Rojas · ‎10-25-2010

Excellent, I am glad to hear that, would you please mark this issue as resolved so other people can take it as a reference?

Cheers

Mike