Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30519
Views
21
Helpful
7
Replies

Deny inbound UDP from x.x.x.x/highport to x.x.x.x/53 due to DNS Query (ASA running 8.4)

Go to solution
marcelnjkoks
Level 1
Level 1

‎03-15-2011 02:26 AM - edited ‎03-11-2019 01:06 PM

Hello all,

Something that puzzles us.

Normal situation:

LAN > Router > Firewall > Internet.

The firewall has a default route straight to the provider router, all is well.

Failover situation:

The firewall detects that the primary provider network is down using IP SLA tracking which is configured on the primary default route on the ASA.

The tracking mechanism removes the primary default route, after which the secondary default route surfaces using the higher AD.

The secondary default route points back towards mentioned router, which has a connection to a different branch office. The goal is to use their internet connection as fallback option.

LAN > Router > Firewall > Router > WAN > Branch Office router > Branch Office Firewall > Internet

The idea basically works. We've put the correct routing in place, and when using IP addresses for websites instead of URL's it all works nicely.

The problem we have however is with DNS.

During the failover situation the DNS server, which is situated on the LAN of the primary site, send it's reqeuest for name resolving to the internet. It's first routed to the router, then to the firewall, then back to the router and from there to the other location for internet access, same as the HTTP traffic. Reason for this is because we have some important equipment on the firewall DMZ interfaces, so we still like to use this primary firewall, although it's own internet connection is down. We simply route internet to the other office, as explained above.

We get the error message:

Deny inbound UDP from x.x.x.x/highport to x.x.x.x/53 due to DNS Query

We've tried to disable DNS inspection and DNS guard, but no joy.

When the primary default route is restored, it all turns back to normal without changing anything.

Idea anyone?

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to marcelnjkoks

‎03-15-2011 06:49 AM

Hi,

To permit communication between interfaces with equal security levels,  or to allow traffic to enter and exit the same interface, use the same-security-traffic intra-interface command in global configuration mode.

Can you please ensure if this commands is there? I feel this might be missing as HTTP traffic is passing fine from DMZ to Inside but Inside to Inside traffic is not passing.

Hope this helps.

Regards,
Chirag

View solution in original post

7 Replies 7

Go to solution
csaxena
Cisco Employee
Cisco Employee

‎03-15-2011 05:44 AM

Hello,

As you mention in the post:

During the failover situation the DNS server, which is situated on the 
LAN of the primary site, send it's reqeuest for name resolving to the 
internet. It's first routed to the router, then to the firewall, then 
back to the router and ......

I believe the DNS query gets dropped because of assymeteric routing. Can please verify if the return path same as the original path and includes the firewall.

Hope this helps. Please reply back if he you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

0 Helpful

Go to solution
marcelnjkoks
Level 1
Level 1
In response to csaxena

‎03-15-2011 06:23 AM

Hi, thanks for answering.

We have thought about this too.

But it seems the initial packet is dropped, not the returning traffic. And i would expect a different message, like 'no connection'.

We don't see any of the initial DNS packets getting through to the branch office firewall. We do however see the HTTP packets, which are following the same route path. Except, these are originated on a DMZ interface, from an ISA server.

It sort of looks like the firewall doesn't like the same flow getting into the inside interface, and routed back immediately out the same interface again following the default route to the branch office.

The same firewall doesn't have a problem at all when the Outside interface is up and running and forwarding packets to the Internet.

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to marcelnjkoks

‎03-15-2011 06:49 AM

Hi,

To permit communication between interfaces with equal security levels,  or to allow traffic to enter and exit the same interface, use the same-security-traffic intra-interface command in global configuration mode.

Can you please ensure if this commands is there? I feel this might be missing as HTTP traffic is passing fine from DMZ to Inside but Inside to Inside traffic is not passing.

Hope this helps.

Regards,
Chirag

Go to solution
marcelnjkoks
Level 1
Level 1
In response to csaxena

‎03-15-2011 06:59 AM

Just after i send you the update, i was thinking about this too.

So we checked the config, it's not in there. This could be the thing we are looking for because this is the only traffic getting in and out the same interface at once.

We are going to check and test this a.s.a.p...

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to marcelnjkoks

‎03-15-2011 07:01 AM

Gr8. Let us know if this helps.

~Chirag

0 Helpful

Go to solution
marcelnjkoks
Level 1
Level 1
In response to csaxena

‎03-30-2011 10:50 AM

Hi,

It solved the problem, working fine now. Thanks again!

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to marcelnjkoks

‎03-30-2011 07:47 PM

Glad to know that.. Cheers!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card