[c-nsp] ASA55xx | DNS Maximum message

Bill Blackford BBlackford at nwresd.k12.or.us
Wed Dec 8 13:55:59 EST 2010


We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in 

policy-map type inspect dns <pol_name>
  parameters 
    message-length maximum xxx

This seem to fix my issues with that particular .gov site.

My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters?

Thank you,

-b


--
Bill Blackford                     
Senior Network Engineer            
Technology Systems Group           
Northwest Regional ESD             

Logged into reality and abusing my sudo priviledges




More information about the cisco-nsp mailing list