11-02-2010 10:44 AM - edited 03-11-2019 12:03 PM
Hi guys, I really appreciate somebody could help me.
I have an ASA 5520 Version 8.0(4) in my network with default inspection, suddenly many users where having RPC errors when they arrive to work and turn on their computers.
The users told us that they had changed their DNS configs, so we call the system guy in that site and told us that they have update their Active directory servers to a windows 2008 R2, so we troubleshoot a little and we found that when we remove dns_preset_dns_map, the error dissapear. Could
somebody have any idea about this???
class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
class IPS
ips inline fail-open
!
service-policy global_policy global
This is really a big problem because we have about 70 ASA with the same default inspection and there´s no problem.
If somebody could help, i would appreciate
11-02-2010 12:09 PM
Hello!!!!!!!
I think I know the issue, Can you ask your Server administrator if they are using secure DNS? This will make the packet larger than the one configure by default.
You can increase the packet lenght
ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# message-length maximum
In version 8.2 or later you can put it as auto, but for this version you will have to set it manually.
Hope it helps.
Mike
11-02-2010 12:29 PM
thanks for the reply, i would ask for this information, but i really don´t have any idea why just in one ASA this problem appears and in the rest of them seems to be ok, anyway i don´t want to dissmiss anything of this update you are advising me.
I think this is the update you have in mind.
For enterprises operating Microsoft Server infrastructure, there are specific things needed in place before May 5th.
Windows Server 2008 and Windows Server 2008 R2 will support the new DNSSEC implementation, but only if it is implemented. It is an optional choice during installation (see Microsoft’s “DNSSEC Deployment Guide,” published in October 2009).
There is only limited support for DNSSEC in Windows Server 2003 DNS. Under the new DNSSEC, Windows 2003 can act as a secondary DNS server for an existing DNSSEC compliant zone. Windows Server 2003 will cache the new, larger records but not perform cryptography, authentication, or verification. Only Windows Server 2008 implementations with DNSSEC implemented will provide full DNSSEC support. For more information refer to the following Microsoft items:
There are other possible breakpoints for the DNSSEC response – namely firewalls. Older firewalls, and some newer ones, will drop UDP port 53 (DNS response) traffic larger than 512b by default. For example, Cisco PIX / ASA will not support DNSSEC through DNS inspection on versions before 8.2.2. Therefore, IT leaders will have to disable DNS inspection (not recommended) or if possible, migrate to ASA 8.2.2 or higher. SOHO routers may also be problematic if they proxy DNS.
Thanks
11-02-2010 04:18 PM
You got it!!!
Clients on inside networks with ASA version lower than 8.2.2 will have problems. ASA version 8.2.2 or higher have the DNS map as auto.
Hope this helps and let me know the results.
Thanks!
Mike
11-10-2010 09:16 AM
Hi, sorry for not answering this discussion earlier, we had upgraded to version 8.2(3) in our ASA, but the problem with the computers stills. We opened a TAC case and they are helping us.
I´ll update this discussion if we have some updates from cisco.
11-10-2010 10:22 AM
Hello Luis,
Can I have the service request number, Ill take a look at it with the engineer.
Cheers.
Mike
11-10-2010 10:40 AM
The service request number is 615913549, we are seeing this issue with 'Abraham Hernandez (abhernan)'. He is helping us with this proyect.
Thanks.
12-01-2010 09:39 AM
sorry for not replying earlier, Cisco TAC send us some commands to do some test with our computers.
enable
config terminal
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no dns-guard
no id-mismatch
no id-randomization
no protocol-enforcement
end
So I will reply the results,
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide