We experienced an odd issue recently where queries to a .gov site were timing
out. Upon further investigation, packet captures, etc., we noticed that the
return packet was fragmented and 1514 bytes. I increased the default value in
policy-map type inspect dns <pol_name>
parameters
message-length maximum xxx
This seem to fix my issues with that particular .gov site.
My question is has the recent signing of dns zones on certain .gov name hosts
affected the packet size and will this be an ongoing issue for folks running
asa with the default inspect parameters?
Thank you,
-b
--
Bill Blackford
Senior Network Engineer
Technology Systems Group
Northwest Regional ESD
Logged into reality and abusing my sudo priviledges
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
