cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29309
Views
21
Helpful
7
Replies

Deny inbound UDP from x.x.x.x/highport to x.x.x.x/53 due to DNS Query (ASA running 8.4)

marcelnjkoks
Level 1
Level 1

Hello all,

Something that puzzles us.

Normal situation:

LAN > Router > Firewall > Internet.

The firewall has a default route straight to the provider router, all is well.

Failover situation:

The firewall detects that the primary provider network is down using IP SLA tracking which is configured on the primary default route on the ASA.

The tracking mechanism removes the primary default route, after which the secondary default route surfaces using the higher AD.

The secondary default route points back towards mentioned router, which has a connection to a different branch office. The goal is to use their internet connection as fallback option.

LAN > Router > Firewall > Router > WAN > Branch Office router > Branch Office Firewall > Internet

The idea basically works. We've put the correct routing in place, and when using IP addresses for websites instead of URL's it all works nicely.

The problem we have however is with DNS.

During the failover situation the DNS server, which is situated on the LAN of the primary site, send it's reqeuest for name resolving to the internet. It's first routed to the router, then to the firewall, then back to the router and from there to the other location for internet access, same as the HTTP traffic. Reason for this is because we have some important equipment on the firewall DMZ interfaces, so we still like to use this primary firewall, although it's own internet connection is down. We simply route internet to the other office, as explained above.

We get the error message:

Deny inbound UDP from x.x.x.x/highport to x.x.x.x/53 due to DNS Query

We've tried to disable DNS inspection and DNS guard, but no joy.

When the primary default route is restored, it all turns back to normal without changing anything.

Idea anyone?

1 Accepted Solution

Accepted Solutions

Hi,

To permit communication between interfaces with equal security levels,  or to allow traffic to enter and exit the same interface, use the same-security-traffic intra-interface command in global configuration mode.

Can you please ensure if this commands is there? I feel this might be missing as HTTP traffic is passing fine from DMZ to Inside but Inside to Inside traffic is not passing.

Hope this helps.

Regards,
Chirag

View solution in original post

7 Replies 7

csaxena
Cisco Employee
Cisco Employee

Hello,

As you mention in the post:

During the failover situation the DNS server, which is situated on the LAN of the primary site, send it's reqeuest for name resolving to the internet. It's first routed to the router, then to the firewall, then back to the router and ......

I believe the DNS query gets dropped because of assymeteric routing. Can please verify if the return path same as the original path and includes the firewall.

Hope this helps. Please reply back if he you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

Hi, thanks for answering.

We have thought about this too.

But it seems the initial packet is dropped, not the returning traffic. And i would expect a different message, like 'no connection'.

We don't see any of the initial DNS packets getting through to the branch office firewall. We do however see the HTTP packets, which are following the same route path. Except, these are originated on a DMZ interface, from an ISA server.

It sort of looks like the firewall doesn't like the same flow getting into the inside interface, and routed back immediately out the same interface again following the default route to the branch office.

The same firewall doesn't have a problem at all when the Outside interface is up and running and forwarding packets to the Internet.

Hi,

To permit communication between interfaces with equal security levels,  or to allow traffic to enter and exit the same interface, use the same-security-traffic intra-interface command in global configuration mode.

Can you please ensure if this commands is there? I feel this might be missing as HTTP traffic is passing fine from DMZ to Inside but Inside to Inside traffic is not passing.

Hope this helps.

Regards,
Chirag

Just after i send you the update, i was thinking about this too.

So we checked the config, it's not in there. This could be the thing we are looking for because this is the only traffic getting in and out the same interface at once.

We are going to check and test this a.s.a.p...

Gr8. Let us know if this helps.

~Chirag

Hi,

It solved the problem, working fine now. Thanks again!

Glad to know that.. Cheers!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: