Hi Bill, The change (tracked by CSCta35563) re-ordered the "message-length maximum client auto" command and also enabled it by default in the preset and migrated dns_map. This change went into Versions: 8.3(1), 8.2(2), 8.1(2.37), 8.0(5.2), 7.2(5)
Sincerely, David. Bill Blackford wrote: > One more point: > > One set of ASA's places the maximum xxxx *before* client auto. This set is > exhibiting the odd behavior. > The other set of ASA's places it *after*. This set is running a newer code > rev. and the odd behavior not reproducible. > > Someone offered the 'client auto' offlist as a fix as well. > > -b > > > -----Original Message----- > From: Ryan West [mailto:[email protected]] > Sent: Wednesday, December 08, 2010 11:04 AM > To: Bill Blackford; [email protected] > Subject: RE: ASA55xx | DNS Maximum message > > Bill, > > Default used to be 512, with the eDNS changes, it should be set to 4096 to > avoid issues. > > -ryan > > ________________________________________ > From: [email protected] [[email protected]] > on behalf of Bill Blackford [[email protected]] > Sent: Wednesday, December 08, 2010 1:55 PM > To: [email protected] > Subject: [c-nsp] ASA55xx | DNS Maximum message > > We experienced an odd issue recently where queries to a .gov site were timing > out. Upon further investigation, packet captures, etc., we noticed that the > return packet was fragmented and 1514 bytes. I increased the default value in > > policy-map type inspect dns <pol_name> > parameters > message-length maximum xxx > > This seem to fix my issues with that particular .gov site. > > My question is has the recent signing of dns zones on certain .gov name hosts > affected the packet size and will this be an ongoing issue for folks running > asa with the default inspect parameters? > > Thank you, > > -b > > > -- > Bill Blackford > Senior Network Engineer > Technology Systems Group > Northwest Regional ESD > > Logged into reality and abusing my sudo priviledges > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
