[c-nsp] FWSM asdm error 305006 ???

[Jeff Fitzwater]

I am running FWSM with 4.0(2) code in transparent mode.

It also has DNS-GUARD disabled.  New feature in 4.0

I constantly see entries in the ASDM log with the very ambiguous ERROR  
305006 as shown below in log snippet...



----------------


3|Aug 07 2008 07:53:01|305006: regular translation creation failed for  
udp src vgate1-paetec-inside:128.112.11.140/49384 dst vgate1-paetec- 
outside:4.2.2.2/53
3|Aug 07 2008 07:53:10|305006: regular translation creation failed for  
udp src vgate1-paetec-inside:128.112.11.140/63890 dst vgate1-paetec- 
outside:4.2.2.1/53
3|Aug 07 2008 07:57:03|305006: regular translation creation failed for  
udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- 
outside:123.204.68.27/10001
3|Aug 07 2008 08:04:29|305006: regular translation creation failed for  
udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- 
outside:210.64.246.78/10002
3|Aug 07 2008 08:08:24|305006: regular translation creation failed for  
udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- 
outside:211.74.194.205/10001
3|Aug 07 2008 08:08:34|305006: regular translation creation failed for  
udp src vgate1-paetec-inside:128.112.13.215/2000 dst vgate1-paetec- 
outside:222.46.18.61/53
3|Aug 07 2008 08:10:15|305006: regular translation creation failed for  
udp src vgate1-paetec-inside:128.112.236.96/53 dst vgate1-paetec- 
outside:210.64.174.123/10002
3|Aug 07 2008 08:18:59|305006: regular translation creation failed for  
udp src vgate1-paetec-inside:128.112.15.215/2000 dst vgate1-paetec- 
outside:222.46.18.61/53


---------------

The IPs in the 128.112.x.x range are ours and on the INSIDE but none  
of them are in use and tcpdump on inside shows no packets from these  
addresses in case they were spoofed.

Doing a tcpdump on the OUTSIDE , by use of taps we have to monitor  
traffic outside the router/FWSM, I can see packets to these hosts from  
the DSTs indicated above.   These are probably crafted packets just  
trying to do some DNS damage.

I am not sure why the message indicates the SRC of a host that never  
sent a packet and is non-existent, not to mention the "regular  
translation creation failed" cryptic phrase.

I have looked at all the doc related to the FWSM error code 305006 but  
it does not appear to relate to this error.

This error only appears for packets that have src or dst port 53 DNS  
and the inside IP is unreachable.

Is this error just telling me that there is no corresponding flow for  
the initial flow and some timer has expired within the DNS-GUARD code  
of the FWSM.



I sure could use some help on this one.


Thanks in advance.


Jeff Fitzwater
OIT Network Systems
Princeton University