[c-nsp] ASA55xx | DNS Maximum message
Ryan West
rwest at zyedge.com
Wed Dec 8 14:03:49 EST 2010
Bill,
Default used to be 512, with the eDNS changes, it should be set to 4096 to avoid issues.
-ryan
________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] on behalf of Bill Blackford [BBlackford at nwresd.k12.or.us]
Sent: Wednesday, December 08, 2010 1:55 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA55xx | DNS Maximum message
We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in
policy-map type inspect dns <pol_name>
parameters
message-length maximum xxx
This seem to fix my issues with that particular .gov site.
My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters?
Thank you,
-b
--
Bill Blackford
Senior Network Engineer
Technology Systems Group
Northwest Regional ESD
Logged into reality and abusing my sudo priviledges
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list