Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5103
Views
0
Helpful
5
Replies

ASA access-list with FQDN not working properly?

amir.glibic
Level 1
Level 1

‎06-01-2016 03:16 AM - edited ‎03-12-2019 12:49 AM

Hi,

we currently have an issue with our FQDN access-list.

We have allowed access to FQDN smtp.office365.com and outlook.office365.com via HTTPS (acl_dmz).

Unfortunately it is sometimes not working properly - as you can see here from the output. I filtered only for one of the resolved destination IP addresses for better overview, but it happens with all of them:

Jun 1 10:23:56 fw-1 %ASA-5-746014: user-identity: [FQDN] outlook.office365.com address 40.96.28.66 obsolete
Jun 1 10:23:56 fw-1 %ASA-5-746014: user-identity: [FQDN] smtp.office365.com address 40.96.28.66 obsolete
Jun 1 10:32:05 fw-1 %ASA-4-106023: Deny tcp src dmz:10.0.0.151/59313 dst outside:40.96.28.66/443 by access-group "acl_dmz" [0x0, 0x0]
Jun 1 10:32:35 fw-1 %ASA-4-106023: Deny tcp src dmz:10.0.0.151/59323 dst outside:40.96.28.66/443 by access-group "acl_dmz" [0x0, 0x0]
Jun 1 10:33:02 fw-1 %ASA-5-746015: user-identity: [FQDN] smtp.office365.com resolved 40.96.28.66
Jun 1 10:33:02 fw-1 %ASA-5-746015: user-identity: [FQDN] outlook.office365.com resolved 40.96.28.66
Jun 1 10:38:01 fw-1 %ASA-5-746014: user-identity: [FQDN] smtp.office365.com address 40.96.28.66 obsolete
Jun 1 10:38:01 fw-1 %ASA-5-746014: user-identity: [FQDN] outlook.office365.com address 40.96.28.66 obsolete
Jun 1 10:59:55 fw-1 %ASA-4-106023: Deny tcp src dmz:10.0.0.150/45612 dst outside:40.96.28.66/443 by access-group "acl_dmz" [0x0, 0x0]
Jun 1 11:00:29 fw-1 %ASA-5-746015: user-identity: [FQDN] smtp.office365.com resolved 40.96.28.66
Jun 1 11:00:29 fw-1 %ASA-5-746015: user-identity: [FQDN] outlook.office365.com resolved 40.96.28.66
Jun 1 11:04:09 fw-1 %ASA-5-746014: user-identity: [FQDN] smtp.office365.com address 40.96.28.66 obsolete
Jun 1 11:04:51 fw-1 %ASA-5-746014: user-identity: [FQDN] outlook.office365.com address 40.96.28.66 obsolete
Jun 1 11:14:29 fw-1 %ASA-5-746015: user-identity: [FQDN] smtp.office365.com resolved 40.96.28.66
Jun 1 11:14:51 fw-1 %ASA-5-746015: user-identity: [FQDN] outlook.office365.com resolved 40.96.28.66
Jun 1 11:22:46 fw-1 %ASA-5-746014: user-identity: [FQDN] smtp.office365.com address 40.96.28.66 obsolete
Jun 1 11:23:03 fw-1 %ASA-5-746014: user-identity: [FQDN] outlook.office365.com address 40.96.28.66 obsolete
Jun 1 11:32:55 fw-1 %ASA-4-106023: Deny tcp src dmz:10.0.0.150/45827 dst outside:40.96.28.66/443 by access-group "acl_dmz" [0x0, 0x0]
Jun 1 11:33:05 fw-1 %ASA-4-106023: Deny tcp src dmz:10.0.0.151/59632 dst outside:40.96.28.66/443 by access-group "acl_dmz" [0x0, 0x0]
Jun 1 11:33:25 fw-1 %ASA-4-106023: Deny tcp src dmz:10.0.0.150/45828 dst outside:40.96.28.66/443 by access-group "acl_dmz" [0x0, 0x0]
Jun 1 11:33:36 fw-1 %ASA-5-746015: user-identity: [FQDN] smtp.office365.com resolved 40.96.28.66
Jun 1 11:33:36 fw-1 %ASA-5-746015: user-identity: [FQDN] outlook.office365.com resolved 40.96.28.66
Jun 1 11:37:36 fw-1 %ASA-5-746014: user-identity: [FQDN] smtp.office365.com address 40.96.28.66 obsolete
Jun 1 11:37:45 fw-1 %ASA-5-746014: user-identity: [FQDN] outlook.office365.com address 40.96.28.66 obsolete
Jun 1 11:41:05 fw-1 %ASA-5-746015: user-identity: [FQDN] smtp.office365.com resolved 40.96.28.66
Jun 1 11:41:35 fw-1 %ASA-5-746015: user-identity: [FQDN] outlook.office365.com resolved 40.96.28.66

For me, it seems strange that the entries are switching between "resolved" and "obsolete" in such a frequency. As I understood the concept, this should be looked up once every few hours and stay persistent in the ACL. I think whenever the entry goes to obsolete and then a request occurs, it is denied.

Any ideas, how to resolve this?

BR,
Amir

Labels:
0 Helpful
5 Replies 5

jagraaga
Cisco Employee
Cisco Employee

‎06-01-2016 03:39 AM

Hi,

Please post your configuration here.

Jagrati

0 Helpful

amir.glibic
Level 1
Level 1
In response to jagraaga

‎06-01-2016 03:50 AM

dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.1.100
domain-name dc.local

object network fqdn_outlook.office365.com
fqdn outlook.office365.com

object network fqdn_smtp.office365.com
fqdn smtp.office365.com

object-group network grp_allowed_public_destinations
network-object object fqdn_outlook.office365.com
network-object object fqdn_smtp.office365.com

access-list acl_dmz extended permit tcp host 10.0.0.150 object-group grp_allowed_public_destinations eq https
access-list acl_dmz extended permit tcp host 10.0.0.151 object-group grp_allowed_public_destinations eq https

-----

show access-list looks like this (same with smtp -> left out):

access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 fqdn outlook.office365.com (resolved) eq https 0x86426283
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 132.245.55.18 (outlook.office365.com) eq https (hitcnt=0) 0x1efcbf65
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 40.101.36.2 (outlook.office365.com) eq https (hitcnt=0) 0xb7a8bdbf
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 40.96.35.2 (outlook.office365.com) eq https (hitcnt=0) 0xe1e61e6b
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 40.101.16.2 (outlook.office365.com) eq https (hitcnt=3) 0xa41f5d0c
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 40.96.19.226 (outlook.office365.com) eq https (hitcnt=0) 0x1a8d201e
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 40.96.21.2 (outlook.office365.com) eq https (hitcnt=1) 0x44cf01fd
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 132.245.226.82 (outlook.office365.com) eq https (hitcnt=0) 0xdddca80d
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 40.96.37.66 (outlook.office365.com) eq https (hitcnt=0) 0x3895cbd6
access-list acl_dmz line 23 extended permit tcp host 10.0.0.150 host 132.245.226.18 (outlook.office365.com) eq https (hitcnt=0) 0x80f07e4c

access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 fqdn outlook.office365.com (resolved) eq https 0x8ce0f41f
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 132.245.55.18 (outlook.office365.com) eq https (hitcnt=0) 0x5ca7c56c
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 40.101.36.2 (outlook.office365.com) eq https (hitcnt=0) 0x5fca0aab
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 40.96.35.2 (outlook.office365.com) eq https (hitcnt=0) 0xf00d40cf
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 40.101.16.2 (outlook.office365.com) eq https (hitcnt=1) 0x2666eb9a
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 40.96.19.226 (outlook.office365.com) eq https (hitcnt=3) 0xf2bea535
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 40.96.21.2 (outlook.office365.com) eq https (hitcnt=0) 0x122fea6a
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 132.245.226.82 (outlook.office365.com) eq https (hitcnt=0) 0x4313fff7
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 40.96.37.66 (outlook.office365.com) eq https (hitcnt=0) 0x4d6cfe10
access-list acl_dmz line 24 extended permit tcp host 10.0.0.151 host 132.245.226.18 (outlook.office365.com) eq https (hitcnt=0) 0xcef2f0f9

BR,
Amir

0 Helpful

jagraaga
Cisco Employee
Cisco Employee
In response to amir.glibic

‎06-01-2016 04:32 AM

Hi Amir,

It seems that the ASA is not able to resolve the FQDN for certain time and thus the ACL does not match.

Please take the output of below command at the time of issue and see if the resolution for these FQDNs is present.

#show dns

After this take the debugs and paste the output.here.

#debug user-identity fqdn

Jagrati


					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
                
                    
        

	
	

		
	

	


		
	
		

			

	 
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			
			

	

		

			

	
		
			

		


	

	
			

	
	
	 
	
	
	
				
		

			
				
					
					
				
			
		

	
			
	
	
	
	
	


		

	

	

	

	

	

	

	
			
					
				
		

	


	

		
	
	


		

	

		

			

	
		

			
		
			
			
		
		
	
		

	
	


		

	

		

			

	
		

			
		
			

	
			
					amir.glibic
					
				
		


		
	
		

	
	

	
		

			
		
				
		
	

	

	
			
				
		
		
			
		
		
		Level 1
		
		
		
		
		
	
			
		

		
			
					
		

			Level 1
		

	
				
		
			
					

	
		In response to jagraaga
	
	


				
		
	
		

	
	


		

			

	
		
			
		
			
					
		

			
    

	
		
		
		‎06-01-2016
	
		
		08:10 AM
	
	

	
	
	
	
	
	
	
	
	
	
	
	

		

	
				
		
	
	


		

	

		

			

	
		
			
					
		

	
		

			
				
					
					
						
Hi,




I think I found the issue. The fqdn entry allows only 10 IP addresses to be assigned to the ACL. But in this case, it seems outlook.office365.com has many more and they are changing dynamically (different addresses on nslookup every few seconds). So the FW sets the IP's it gets, but the server sometimes resolves the domain to a different IP. When it then tries to communicate, the block occurs. 




I think the only way to resolve this problem, will be to permit the destination networks for office365.com statically...




Thanks for your help!




BR,


Amir

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
                
                    
        

	
	

		
	

	


		
	
		

			

	 
	 
	
	

	

	

	
		

			

			
	

	

		


	

	
		

			
			

	

		

			

	
		
			

		


	

	
			

	
	
	 
	
	
	
				
		

			
				
					
					
				
			
		

	
			
	
	
	
	
	


		

	

	

	

	

	

	

	
			
					
				
		

	


	

		
	
	


		

	

		

			

	
		

			
		
			
			
		
		
	
		

	
	


		

	

		

			

	
		

			
		
			

	
			
					DevendraMhatre3857
					
				
		


		
	
		

	
	

	
		

			
		
				
		
	

	

	
			
				
		
		
			
		
		
		Level 1
		
		
		
		
		
	
			
		

		
			
					
		

			Level 1
		

	
				
		
			
					

	
		In response to jagraaga
	
	


				
		
	
		

	
	


		

			

	
		
			
		
			
					
		

			
    

	
		
		
		‎11-14-2019
	
		
		07:27 PM
	
	

	
	
	
	
	
	
	
	
	
	
	
	

		

	
				
		
	
	


		

	

		

			

	
		
			
					
		

	
		

			
				
					
					
						
I m new to the cisco ASA.. could you tell me when this event get logged -  %ASA-5-746014: user-identity: [FQDN] outlook.office365.com address 40.96.28.66 obsolete

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
        
    

    
        


	
			
				

					
						

							
		

			

	
			
				
					
				
				
			
		


		

	
							

								
								
							

							

								

	
									
								


							

						

					
				

			
		
	


    
    
        
        
            
        
        
	
    

	

	

	

	

	



				
			
		
		
	
	


		

			

	
		
			        

		
				

        

	


		
			
 
 

		
			
		
			

		
			



  

    

      

        

          
Customers Also Viewed These Support Documents

        

        

          

            

              

                

                  
                

              

            

          

        

      

    

    

      
 

    

  




		
			
		
			    

  

		
					
Review Cisco Networking for a $25 gift card