cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

233
Views
5
Helpful
4
Replies
Highlighted
Beginner

1921 ISR router - how to check default DNS message size

Hello!

I use zone based firewall. I have issue with some DNS response packets on my 1921 router. Some of them are DROPPED:

%FW-6-DROP_PKT: Dropping udp session 8.8.4.4:53 192.168.230.10:19598 on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 58502

(There are hundreds of lines with simmilar data, but I not observe big issues on my internal host.)

I have FW rule that allow DNS query from my internal host (192.168.230.10) to internet. Dropped packets looks like responses for my host, but for some reasons not pass my rule and are dropped (probably by last rule that simply drop unmatched traffic).

I have read some discussions that today DNS packet sometimes are bigger than 512B (DNSSEC). Maybe my router only allow shost responses (512) and drops bigger one?

How to check what is my current DNS packet size limit and how to set it to bigger limit?

 

[hardware: 1921 ISR router, software ver c1900-universalk9-mz.SPA.155-3.M2]

Thanks a lot!

Everyone's tags (4)
4 REPLIES 4
VIP Mentor

Re: 1921 ISR router - how to check default DNS message size

Hello,

 

post the config of your router...

Beginner

Re: 1921 ISR router - how to check default DNS message size

Hello!
Which parts you are interested in? I post my zone-pair definitions and (probably) problematic rule in next comment. I usually use Cisco Configuration program (CCP) and I'm not fluent in console programing.
VIP Advisor

Re: 1921 ISR router - how to check default DNS message size

Hello

 

%FW-6-DROP_PKT: Dropping udp session 8.8.4.4:53 192.168.230.10:19598 on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 58502

 

Looks like this traffic isn’t being matched on any zone-pair you have configured hence it hitting the default class and getting dropped

 

Make sure your allowing the zone policy between the zone pairs  ingress aswell as egress 

 

example:

Zonelan-Zonewan

Zonewan-Zonelan

 

res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Beginner

Re: 1921 ISR router - how to check default DNS message size

Hello! Thanks for reply.

I have these zone-pairs:

zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit

 

and I have bellow rule in ccp-inspect (in-zone to out-zone):

class-map type inspect match-any as01
 match protocol smtp
 match protocol dns
 match protocol https
 match protocol http

ip access-list extended as1
 remark CCP_ACL Category=128
 permit ip host 192.168.230.10 any

class-map type inspect match-all ccp-cls-ccp-inspect-6
 match class-map as01
 match access-group name as1

Can I make another rule to allow/pass returning DNS packets from outside to inside?

All my rules are always defined only in one direction. For example if initialization frafic/packet goes from LAN I put a rule in in-to-out zone pair. Should I have a rules for returning trafic created?

Thanks Piotr

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here