Showing results for 
Search instead for 
Did you mean: 

1921 ISR router - how to check default DNS message size


I use zone based firewall. I have issue with some DNS response packets on my 1921 router. Some of them are DROPPED:

%FW-6-DROP_PKT: Dropping udp session on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 58502

(There are hundreds of lines with simmilar data, but I not observe big issues on my internal host.)

I have FW rule that allow DNS query from my internal host ( to internet. Dropped packets looks like responses for my host, but for some reasons not pass my rule and are dropped (probably by last rule that simply drop unmatched traffic).

I have read some discussions that today DNS packet sometimes are bigger than 512B (DNSSEC). Maybe my router only allow shost responses (512) and drops bigger one?

How to check what is my current DNS packet size limit and how to set it to bigger limit?


[hardware: 1921 ISR router, software ver c1900-universalk9-mz.SPA.155-3.M2]

Thanks a lot!

Georg Pauwen
VIP Master



post the config of your router...

Which parts you are interested in? I post my zone-pair definitions and (probably) problematic rule in next comment. I usually use Cisco Configuration program (CCP) and I'm not fluent in console programing.
paul driver
VIP Mentor



%FW-6-DROP_PKT: Dropping udp session on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 58502


Looks like this traffic isn’t being matched on any zone-pair you have configured hence it hitting the default class and getting dropped


Make sure your allowing the zone policy between the zone pairs  ingress aswell as egress 








kind regards

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

Hello! Thanks for reply.

I have these zone-pairs:

zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit


and I have bellow rule in ccp-inspect (in-zone to out-zone):

class-map type inspect match-any as01
 match protocol smtp
 match protocol dns
 match protocol https
 match protocol http

ip access-list extended as1
 remark CCP_ACL Category=128
 permit ip host any

class-map type inspect match-all ccp-cls-ccp-inspect-6
 match class-map as01
 match access-group name as1

Can I make another rule to allow/pass returning DNS packets from outside to inside?

All my rules are always defined only in one direction. For example if initialization frafic/packet goes from LAN I put a rule in in-to-out zone pair. Should I have a rules for returning trafic created?

Thanks Piotr