1921 ISR router - how to check default DNS message size

piotrbcisco · ‎06-11-2018

Hello!

I use zone based firewall. I have issue with some DNS response packets on my 1921 router. Some of them are DROPPED:

%FW-6-DROP_PKT: Dropping udp session 8.8.4.4:53 192.168.230.10:19598 on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 58502

(There are hundreds of lines with simmilar data, but I not observe big issues on my internal host.)

I have FW rule that allow DNS query from my internal host (192.168.230.10) to internet. Dropped packets looks like responses for my host, but for some reasons not pass my rule and are dropped (probably by last rule that simply drop unmatched traffic).

I have read some discussions that today DNS packet sometimes are bigger than 512B (DNSSEC). Maybe my router only allow shost responses (512) and drops bigger one?

How to check what is my current DNS packet size limit and how to set it to bigger limit?

[hardware: 1921 ISR router, software ver c1900-universalk9-mz.SPA.155-3.M2]

Thanks a lot!

Georg Pauwen · ‎06-11-2018

Hello,

post the config of your router...

piotrbcisco · ‎06-12-2018

Hello!
Which parts you are interested in? I post my zone-pair definitions and (probably) problematic rule in next comment. I usually use Cisco Configuration program (CCP) and I'm not fluent in console programing.

paul driver · ‎06-11-2018

Hello

%FW-6-DROP_PKT: Dropping udp session 8.8.4.4:53 192.168.230.10:19598 on zone-pair sdm-zp-VPNOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 58502

Looks like this traffic isn’t being matched on any zone-pair you have configured hence it hitting the default class and getting dropped

Make sure your allowing the zone policy between the zone pairs ingress aswell as egress

example:

Zonelan-Zonewan

Zonewan-Zonelan

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

piotrbcisco · ‎06-12-2018

Hello! Thanks for reply.

I have these zone-pairs:

zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit

and I have bellow rule in ccp-inspect (in-zone to out-zone):

class-map type inspect match-any as01
match protocol smtp
match protocol dns
match protocol https
match protocol http

ip access-list extended as1
remark CCP_ACL Category=128
permit ip host 192.168.230.10 any

class-map type inspect match-all ccp-cls-ccp-inspect-6
match class-map as01
match access-group name as1

Can I make another rule to allow/pass returning DNS packets from outside to inside?

All my rules are always defined only in one direction. For example if initialization frafic/packet goes from LAN I put a rule in in-to-out zone pair. Should I have a rules for returning trafic created?

Thanks Piotr