Greetings.

I ran into the following bug on Cisco 1941 IOS version 15.1(4)M, 15.1(3)T2, 15.2(1)T and, probably, most other versions from these branches. However, the bug doesn't appear on any of the 15.0M IOS versions.

A DNS server is located in one of the internal VLANs, two static PAT translations (TCP and UDP ports 53) are configured for it, an inbound ACL on the external interface permits these ports, no inspection of any sort done anywhere.

At first, I had an ISP that required an L2TP connection (via a virtual-ppp pseudowire in my case), everything was fine. Recently, I switched to another provider with a vlan-per-user scheme, attached it directly to my gi0/0, and found out that my internal NS server failed the hoster's test. Further investigation showed it handed out SOA records, but not the zone itself. I turned off CEF and performed a "monitor capture" sniff on all the interfaces at once, matching the DNS traffic. A screenshot is attached, 88.198.39.133 is an online nslookup service, 79.XXX.XXX.XXX is my public IP address, 192.168.12.3 at the DNS server.. My wonderful router drops the TCP session with TCP resets. Remember - no CBAC, no ZBPF etc. Change "boot system" to 15.0(1)M5, reload - everything works. Reload to any of the mensioned above versions - and DNS once againg permanently stops any zone transfers.

My point is - I'm quite comfortable with the 15.0(1)M5, life's awesome, I don't want to change anything, but I would like to do my best to help fix this bug in the future. I would appreciate if a Cisco employee contacted me directly so that I could send "show tech", the packet dump, help reproduce the problem, try some workarounds etc, without spoiling the diagnosis by wiping out all more or less private data from the configs before posting it into public.

If the bug is known - never mind, close the topic. But I didn't find anything similar in the bug toolkit.

If it's just my stupidity and I didn't notice a behavior change in the newer trains - sorry