Bill, Default used to be 512, with the eDNS changes, it should be set to 4096 to avoid issues.
-ryan ________________________________________ From: [email protected] [[email protected]] on behalf of Bill Blackford [[email protected]] Sent: Wednesday, December 08, 2010 1:55 PM To: [email protected] Subject: [c-nsp] ASA55xx | DNS Maximum message We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in policy-map type inspect dns <pol_name> parameters message-length maximum xxx This seem to fix my issues with that particular .gov site. My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters? Thank you, -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD Logged into reality and abusing my sudo priviledges _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
