eDNS & ASA issues
nel
Member Posts: 2,859 ■□□□□□□□□□
Hi,
I have a customer that is using a asa 8.2 and has just upgraded their DNS server to server 2008 R2. We have intermittent issues where DNS resolution fails as a result of the ASA not supporting eDNS. Reading up on eDNS, it would appear that packet sizes can reach 4096 bytes. However, the DNS inspection on the ASA appears to default to a maximum of 512 bytes due to the following test results:
"x.x.x.x DNS reply size limit is at least 490"
"x.x.x.x lacks EDNS, defaults to 512"
x.x.x.x is the IP of the ASA.
Now, first port of call was to increase the size of the accepted DNS packets in the policy map:
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
Ive also tried the fixup command:
fixup protocol dns maximum-length 4096
From the google searches ive performed ive also tried the following command under the policy:
message-length maximum client auto
But still nothing. ive opened a case with cisco TAC but are just wondering if any of you have ran into this issue? Im just wondering whether we need to upgrade the OS or something.
cheers
I have a customer that is using a asa 8.2 and has just upgraded their DNS server to server 2008 R2. We have intermittent issues where DNS resolution fails as a result of the ASA not supporting eDNS. Reading up on eDNS, it would appear that packet sizes can reach 4096 bytes. However, the DNS inspection on the ASA appears to default to a maximum of 512 bytes due to the following test results:
"x.x.x.x DNS reply size limit is at least 490"
"x.x.x.x lacks EDNS, defaults to 512"
x.x.x.x is the IP of the ASA.
Now, first port of call was to increase the size of the accepted DNS packets in the policy map:
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
Ive also tried the fixup command:
fixup protocol dns maximum-length 4096
From the google searches ive performed ive also tried the following command under the policy:
message-length maximum client auto
But still nothing. ive opened a case with cisco TAC but are just wondering if any of you have ran into this issue? Im just wondering whether we need to upgrade the OS or something.
cheers
Xbox Live: Bring It On
Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking
Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking