09-10-2007 08:18 AM - edited 03-11-2019 04:08 AM
I keep seeing the following error messages on FWSM.
106007: Deny inbound UDP from rs-dc2/53 to fs-secweb001/1026 due to DNS Response
Both servers are are on sperate interfaces. rs-dc2 is a windows 2003 server and fs-secweb001 is a web server that is on a vlan with a security level less than the inside but greater than the outside interfaces.
There is no access list stopping traffic and the security should allow the communication (i.e. high to low).
Any ideas?
09-10-2007 10:08 PM
Syslog messages are all detailed in the documentation here (look for message 106007):
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/system/message/fwsm_log.html
Your particular message is due to the DNS inspection within the FWSM. Basically rs-dc2 is a DNS server and your web server is sending DNS requests to it (and to another external server). The FWSM monitors these requests and only allows one DNS response per request. Another DNS server has already answered this request from the web server, and so the slower response from rs-dc2 is being dropped.
Nothing to worry about, but if you don't want it to happen you can turn off the DNS inspection and it'll go away.
09-10-2007 11:58 PM
I tried to turn of DNS inspection, is configured using a policy map on the FWSM. Below is what is configured for the policy map
policy-map global_policy
class inspection_default
inspect icmp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
Would either of the following commands help?
dns retries
To specify the number of times to retry the list of DNS servers when the FWSM does not receive a response, use the dns retries command in global configuration mode. To restore the default setting, use the no form of this command.
dns retries number
no dns retries [number]
dns timeout
To specify the amount of time to wait before trying the next DNS server, use the dns timeout command in global configuration mode. To restore the default timeout, use the no form of this command.
dns timeout seconds
no dns timeout [seconds]
Many thanks for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide