Home
Certification Preparation
Cisco
CCNP
CCNP Security
eDNS & ASA issues
nel
Hi,
I have a customer that is using a asa 8.2 and has just upgraded their DNS server to server 2008 R2. We have intermittent issues where DNS resolution fails as a result of the ASA not supporting eDNS. Reading up on eDNS, it would appear that packet sizes can reach 4096 bytes. However, the DNS inspection on the ASA appears to default to a maximum of 512 bytes due to the following test results:
"x.x.x.x DNS reply size limit is at least 490"
"x.x.x.x lacks EDNS, defaults to 512"
x.x.x.x is the IP of the ASA.
Now, first port of call was to increase the size of the accepted DNS packets in the policy map:
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
Ive also tried the fixup command:
fixup protocol dns maximum-length 4096
From the google searches ive performed ive also tried the following command under the policy:
message-length maximum client auto
But still nothing. ive opened a case with cisco TAC but are just wondering if any of you have ran into this issue? Im just wondering whether we need to upgrade the OS or something.
cheers
Find more posts tagged with
Comments
There are no comments yet
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
