06-11-2018 06:41 AM - edited 03-05-2019 10:34 AM
Hello!
I use zone based firewall. I have issue with some DNS response packets on my 1921 router. Some of them are DROPPED:
%FW-6-DROP_PKT: Dropping udp session 8.8.4.4:53 192.168.230.10:19598 on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 58502
(There are hundreds of lines with simmilar data, but I not observe big issues on my internal host.)
I have FW rule that allow DNS query from my internal host (192.168.230.10) to internet. Dropped packets looks like responses for my host, but for some reasons not pass my rule and are dropped (probably by last rule that simply drop unmatched traffic).
I have read some discussions that today DNS packet sometimes are bigger than 512B (DNSSEC). Maybe my router only allow shost responses (512) and drops bigger one?
How to check what is my current DNS packet size limit and how to set it to bigger limit?
[hardware: 1921 ISR router, software ver c1900-universalk9-mz.SPA.155-3.M2]
Thanks a lot!
06-11-2018 12:39 PM
Hello,
post the config of your router...
06-12-2018 06:53 AM
06-11-2018 03:31 PM - edited 06-11-2018 03:33 PM
Hello
%FW-6-DROP_PKT: Dropping udp session 8.8.4.4:53 192.168.230.10:19598 on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 58502
Looks like this traffic isn’t being matched on any zone-pair you have configured hence it hitting the default class and getting dropped
Make sure your allowing the zone policy between the zone pairs ingress aswell as egress
example:
Zonelan-Zonewan
Zonewan-Zonelan
res
Paul
06-12-2018 06:21 AM
Hello! Thanks for reply.
I have these zone-pairs:
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
and I have bellow rule in ccp-inspect (in-zone to out-zone):
class-map type inspect match-any as01
match protocol smtp
match protocol dns
match protocol https
match protocol http
ip access-list extended as1
remark CCP_ACL Category=128
permit ip host 192.168.230.10 any
class-map type inspect match-all ccp-cls-ccp-inspect-6
match class-map as01
match access-group name as1
Can I make another rule to allow/pass returning DNS packets from outside to inside?
All my rules are always defined only in one direction. For example if initialization frafic/packet goes from LAN I put a rule in in-to-out zone pair. Should I have a rules for returning trafic created?
Thanks Piotr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide