One more point: One set of ASA's places the maximum xxxx *before* client auto. This set is exhibiting the odd behavior. The other set of ASA's places it *after*. This set is running a newer code rev. and the odd behavior not reproducible.
Someone offered the 'client auto' offlist as a fix as well. -b -----Original Message----- From: Ryan West [mailto:[email protected]] Sent: Wednesday, December 08, 2010 11:04 AM To: Bill Blackford; [email protected] Subject: RE: ASA55xx | DNS Maximum message Bill, Default used to be 512, with the eDNS changes, it should be set to 4096 to avoid issues. -ryan ________________________________________ From: [email protected] [[email protected]] on behalf of Bill Blackford [[email protected]] Sent: Wednesday, December 08, 2010 1:55 PM To: [email protected] Subject: [c-nsp] ASA55xx | DNS Maximum message We experienced an odd issue recently where queries to a .gov site were timing out. Upon further investigation, packet captures, etc., we noticed that the return packet was fragmented and 1514 bytes. I increased the default value in policy-map type inspect dns <pol_name> parameters message-length maximum xxx This seem to fix my issues with that particular .gov site. My question is has the recent signing of dns zones on certain .gov name hosts affected the packet size and will this be an ongoing issue for folks running asa with the default inspect parameters? Thank you, -b -- Bill Blackford Senior Network Engineer Technology Systems Group Northwest Regional ESD Logged into reality and abusing my sudo priviledges _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
