[c-nsp] ASA55xx | DNS Maximum message

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Wed Dec 8 14:38:23 EST 2010 

Hi Bill,

The change (tracked by CSCta35563) re-ordered the "message-length
maximum client auto" command and also enabled it by default in the
preset and migrated dns_map. 
This change went into Versions:  8.3(1),  8.2(2), 8.1(2.37),  8.0(5.2),
7.2(5) 

Sincerely,

David.


Bill Blackford wrote:
> One more point:
>
> One set of ASA's places the maximum xxxx *before* client auto. This set is exhibiting the odd behavior.
> The other set of ASA's places it *after*. This set is running a newer code rev. and the odd behavior not reproducible. 
>
> Someone offered the 'client auto' offlist as a fix as well.
>
> -b
>
>
> -----Original Message-----
> From: Ryan West [mailto:rwest at zyedge.com] 
> Sent: Wednesday, December 08, 2010 11:04 AM
> To: Bill Blackford; cisco-nsp at puck.nether.net
> Subject: RE: ASA55xx | DNS Maximum message
>
> Bill,
>
> Default used to be 512, with the eDNS changes, it should be set to 4096 to avoid issues.
>
> -ryan
>
> ________________________________________
> From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] on behalf of Bill Blackford [BBlackford at nwresd.k12.or.us]
> Sent: Wednesday, December 08, 2010 1:55 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA55xx | DNS Maximum message
>
> We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in
>
> policy-map type inspect dns <pol_name>
>   parameters
>     message-length maximum xxx
>
> This seem to fix my issues with that particular .gov site.
>
> My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters?
>
> Thank you,
>
> -b
>
>
> --
> Bill Blackford
> Senior Network Engineer
> Technology Systems Group
> Northwest Regional ESD
>
> Logged into reality and abusing my sudo priviledges
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list