ASA 5520 Reverse DNS lookup Issue

Similar Messages

• HELP! Disabling reverse DNS lookups on client

  Is there a property that can be set to disable the reverse DNS
  lookup for client requests? I read that if reverse lookups are
  no working then client requests can take an extra 15-30 seconds.
  In our environment reverse lookups are not something we can
  count on so we would like to disable them completely. Please let
  me know which property can be set it if any to accomplish this.
  Regards,
  Robert

  Don't we all ;)
  WL 5.1 sp3
  Sol 2.6
  J2 1.2.1_04
  Rich Nill wrote in message <[email protected]>...
  Paul,
  What version of Weblogic are you running? I want to make sure we don'tsuffer
  from the same problem.
  Thanks,
  Rich
  Paul Iter wrote:
  Would this patch have any impact on the problem I described in
  "performance
  degradation PROBLEM"?
  Thanks,
  Paul
  Mark Griffith wrote:
  There is another issue here though, when we print out server ID's we
  call
  java.net.InetAddress.toString() which ends up in a DNS call.
  Contact support they have a one-off patch.
  cheers
  mbg
  In article <[email protected]>, [email protected]
  says...
  Is there a property that can be set to disable the reverse DNS
  lookup for client requests? I read that if reverse lookups are
  no working then client requests can take an extra 15-30 seconds.
  In our environment reverse lookups are not something we can
  count on so we would like to disable them completely. Please let
  me know which property can be set it if any to accomplish this.
  Regards,
  Robert
  ==================================================
  NewsGroup Rant
  ==================================================
  Rant 1.
  The less info you provide about your problem means
  the less we can help you. Try to look at the
  problem from an external perspective and provide
  all the data necessary to put your problem in
  perspective.

• How to disable reverse DNS lookup on SSH login

  How do I disable reverse DNS lookup on SSH login in Solaris 9? I'm using the version bundled with Solaris 9.
  OpenSSH documentation says that I should set UseDNS to no but the option doesnt work in the bundled version of SSH server.
  I do not want to upgrade the bundled version of SSH server. Your help will be greatly appreciated.

  Ah nevermind. I think it was some command I ran changing english.lproj that did this so i am starting over.

• Is it possible to override authorative reverse DNS lookups?

  Hello,
  I am part of collaborative workgroup which has a group of networked computers that are installed at each others sites. This means that often a server has two names - a "site name", which is the name in DNS, such as BigFoot.yale.edu at X.X.X.5 and a "workgroup name", the name used by the group for distributed processes, such as YaleBigFoot.workgroup.net also at X.X.X.5 in our /etc/hosts file.
  We are trying to use globus and GSI authentication in between the servers which requires valid reverse dns lookups, such that a CN=host/ .
  On unix'y servers, this requires setting up a rather comples /etc/hosts and editing /etc/nsswitch so that /etc/hosts is used authoritively for all lookups.
  I have been trying to replicate this behavior for our Mac users, and I'm running into problems. I have read all the "reverse dns" documentation I can - and it appears that my problem is different.
  I have setup a /etc/hosts file and a /etc/lookupd/hosts configuration file and a /etc/named.conf section for workgroup.net and a /var/named/workgroup.net.zone file.
  However I still get the following output:
  $ host yale-bigfoot.workgroup.net
  yale-bigfoot.workgroup.net has address X.X.X.5
  $ host X.X.X.5
  X.X.X.5.in-addr.arpa domain name pointer workgroup-router-node.net.yale.edu.
  Is it possible to override the authorative reverse lookups?
  Thank you in advance,
  Brendan
  PS: names and address are not actual
  17' SuperDrive Powerbook G4   Mac OS X (10.4.6)  

  However, you can achieve do something that looks similar to overriding.
  class Parent {
    Parent(int i, String s) {
      // do stuff
  class Child extends Parent {
    Child(int i, String s) {
      super(i, s);
      // do Child stuff here
  new Parent(1, "abc");
  new Child(2, "xyz");Although that's not overriding, it sort of looks similar. Is this what you were talking about?

• 9i app 9.0.2.01?Does the reverse DNS lookup have to be set up for a FQDN

  HEy guys:
  I'M ALWAYS GETTING STUCK IN THE SAME PLACE WHEN I AM TRYING TO INSTALL 9I APPSERVER 9.0.2.0.1 REL 2. ITS ALWATYS HAPPENING AT THE oRACLE db CONFIG assistant i have set up my host file and when i ping -a servername i get the full reply back ex. servername.domain.com but now when i ping -a 111.111.111.111 i do not get the host name back this is b/c i do not have the PTR record set up. Do i have to have a reverse dnslookup working for what oracle is stating is "FQDN" and not just the dns lookup working...how is oracle installer looking at this piece.
  that is the only i see that i don't have when i look at my computer name (by the way this is a winnt environment)in properties it has the FQDN. i also have set up the host file correctly resembling 111.111.111.111 servername.domainname.com servername oracleinstall. What else am i missing here guys? thanks for the help in advance
  regards,
  robert

  Actually, these issues were/are documented - see the addendum. Also, the install guide details which files need to be updated with the FQDN/IP.
  Though it does not have to be setup in your DNS server (say if you are just doing it on a single tier to test), those machines which are looking to connect to it would need to have the proper additions to the hosts file as well.
  As for why the 'non-default' http ports, this was a result of Unix security. Non-root users cannot start processes using ports below a specific range. As a result, oracle defaults them to a higher number allowing your oracle account whom lacks root access to start the http service.
  As for non-oracle responses, this isn't really an official forumn. I believe those oracle peeps who do respond here are doing so on their own. If you need official/immediate responses, then i would recommend using metalink for an itar or the metalink forums.
  Now on to Robert's second question. See metalink Note:209114.1: How to Change the Port used for Oracle 9iAS Portal 9.0.x. If you don't have access to metalink, let me know and I can forward the note or post it here.
  Have fun!

• Reverse DNS Lookup Failed!

  I started this thread weeks ago in the mail category, because it was related to sending e-mails to certain accounts. If you could please look at this thread I would greatly appreciate it so I don't have to re-explain the whole situation. I need to get this resolved as soon as possible and I don't know what else to do. I have had tons of help on the subject, yet no one can figure out why it's not working. You can do reverse resolution to my server just fine and my service provider shows it's pointing to my dns servers but somewhere in the mix it won't resolve any other way except directly to mine.
  http://discussions.apple.com/thread.jspa?threadID=323884&tstart=0
  I have read every article on here that has revserse DNS in it, yet still no luck. Thanks.

  Zone File:
  $TTL 86400
  funsunstudio.com. IN SOA ns1.funsunstudio.com. marshall.funsunstudi
  o.com. (
  2006013000 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  funsunstudio.com. IN NS ns1.funsunstudio.com.
  funsunstudio.com. IN NS ns2.funsunstudio.com.
  funsunstudio.com. IN A 12.146.245.40
  ns1 IN A 12.146.245.40
  ns2 IN A 12.146.245.41
  mail IN A 12.146.245.34
  funsunstudio.com. IN MX 0 mail
  www IN A 12.146.245.42
  * IN A 12.146.245.42
  oms IN A 12.146.245.42
  named.conf
  zone "funsunstudio.com." in {
  file "funsunstudio.com.zone";
  type master;
  zone "245.146.12.in-addr.arpa" IN {
  file "db.12.146.245";
  type master;
  db.12.146.245 file:
  $TTL 86400
  245.146.12.in-addr.arpa. IN SOA ns1.245.146.12.in-addr.arpa. mar$
  2006013000 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  245.146.12.in-addr.arpa. IN NS ns1.funsunstudio.com.
  245.146.12.in-addr.arpa. IN NS ns2.funsunstudio.com.
  32/28.245.146.12.in-addr.arpa. IN PTR ns1.funsunstudio.com.
  32/28.245.146.12.in-addr.arpa. IN PTR ns2.funsunstudio.com.
  34.245.146.12.in-addr.arpa. IN PTR mail.funsunstudio.com.
  42.245.146.12.in-addr.arpa. IN PTR www.funsunstudio.com.
  Yes I know I am resolving it for the whole C-Class, but should not affect my issue. Thanks for the help Camelot. BTW I am basing this all off the e-mail AT&T sent me about the setup, so if it's totally wrong please don't yell too bad.

• [solved] disable reverse dns caching (pdnsd)

  Hey guys, i have setup pdnsd for dns caching, and it's working fine. There's a small issue though. I would like to disable caching for reverse dns lookups. This is because the cache file is getting filled up with thousand of such entries, due to p2p software such as rtorrent.
  Is there an option for the pdnsd.conf file which can disable this feature?
  Last edited by x33a (2014-01-23 05:51:37)

  After extensive searching, I found that this can be achieved by disabling PTR rr type, but pdnsd won't run without it.
  For reference purpose:
  Support for different rr types can be disabled by modifying src/rr_types.in accordingly (source code file). unfortunately, PTR along with a few other rr types is essential to pdnsd, so disabling it is not an option.

• Set up reverse DNS for virtual mail hosting

  I need a bit of server configuation advice.
  I have a static IP and two public domains on a Snow Leopard server connected using NAT behind a firewall - with the necessary port forwarding to ensure all works. 
  1. abc.com is my primary domain on the server - server.abc.com
  2. I have xyz.com set up as a virtual domain and also as a virtual mail host
  This setup has worked well for a long time but I have found that emails to [email protected] are going missing.  If I check my mx records using one of the web based tools it show an error on the reverse dns for server.xyz.com showing a reverse DNS of server.abc.com.
  So the question - is it possible to have secondary 'virtual' DNS record on the server so reverse DNS works for the virtual mail host xyz.com?  If not how do I handle the reverse DNS problem which i think is causing some external mail server to reject mail due to the inconsistency on the reverse DNS lookup?
  Many thanks for any suggestions

  SMTP requires a DNS A record.
  A DNS A record is also known as a machine record.
  A DNS A record inherently means that forward DNS and reverse DNS will match.
  The forward translation translates the host name to the IP address.
  The reverse translation translates the IP address to host name.
  When the full translation produces the same host name, that's an A record.
  DNS CNAME records are aliases, and are used for virtual hosts.
  CNAME records inherently do not match the reverse DNS translations.
  To get your configuration to work, your server must have an A record.
  That means forward and reverse DNS will match.
  Any of the virtual hosts within your mail server then all use an MX pointing at the A record host.
  If you have your DNS hosted somewhere other than your ISP, then you'll need your ISP to set up a DNS PTR.
  The DNS PTR is the reverse translation; address to name.
  If you have your own DNS services within your network (as would be typical with a privately-addressed NAT'd network), set that up as a virtual host within SMTP.
  Here is some related reading on external (public) DNS, as related to SMTP servers and such.

• Block Reverse DNS failures or not?

  Hey guys,
  Philosphical question, which I honestly didn't think I'd have to ask...
  Do you block messages from servers that fail reverse DNS lookup (eg no pointer record or non matching pointer record)?
  We recently tightened things up, and put those in the blacklist, and I'm seeing more legit senders getting dropped than I expected.
  Am I expecting too much?
  Ken

  You can enable these three checkbox in the sendergroup BLACKLIST:
  -Connecting host PTR record does not exist in DNS.
  -Connecting host PTR record lookup fails due to temporary DNS failure.
  -Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A).
  Be aware for the False positives.

• Reverse IP lookup

  When I run the "last" command I would like to see IP address of the user instead of the host names. I assume Solaris is doing some type of reverse ip lookup and displaying the host name here. Is there a way of disabling reverse DNS lookup and what other consequenses should I consider before doing so.

  New_DS_User wrote:
  When I run the "last" command I would like to see IP address of the user instead of the host names. I assume Solaris is doing some type of reverse ip lookup and displaying the host name here.More like it does the reverse IP lookup and logs the name. There's no lookup at display time.
  Is there a way of disabling reverse DNS lookup and what other consequenses should I consider before doing so.I don't know any method of doing so for just the login stuff. You could disable DNS, but that has other consequences. :-)
  Darren

• GWIA doing DNS lookup for local address

  Hello,
  I am running GW8.0.2 on Netware 6.5sp8. I have a server that our recreation department uses to send out confirmation emails when a customer signs up for a class. The recreation server and the GWIA are on the same subnet.
  Here's the problem: When the Rec server sends out the first email confirmation, it gets sent out successfully. Subsequent emails after that fail. After about twenty minutes the next email will go out OK again but subsequent emails will fail.
  The verbose logs on the GWIA don't tell me much but the diagnostic logs show what looks like a reverse DNS lookup happening at the GWIA for my local IP address of 10.0.0.3 (the Rec server). This reverse DNS lookup fails (probably a timeout) and subsequent emails from this local Rec server get dropped by the GWIA without the DNS lookup.
  DNS is being done by DNS proxy on Bordermanager 9.2. I've bypassed the Bordermanager DNS and the same thing happens. I've made entries for the local Rec server into a route.cfg file but the GWIA seems to want to ignore these entries and keeps doing the DNS lookup.
  The wierdest part of the puzzle is that if I restart the proxy on the Bordermanager the next email will go out with, of course, subsequent emails failing. I've looked at the proxy dns cache and can't even find an entry for my Rec server.
  Attached are the entries from the Diagnostic logs of the GWIA. Novell tech support has assured me that the GWIA and the BM are working fine. I am also having this problem with a scanner that scans then emails but all other email and Bordermanager are functioning fine. This server and scanner were not having this problem before upgrading to GW8.0.2.
  I don't understand why GWIA is doing DNS lookups for a local address and I don't know what I can do to stop it. Any help would be greatly appreciated.
  This is a successful transfer right after restarting the proxy: 10.0.0.3 is the Rec server, 10.0.0.130 is the GWIA and 10.0.0.1 is the Bordermanager.
  16:04:13 D15 NgwResQuery(3.0.0.10.in-addr.arpa, 1, 12)
  16:04:13 D15 Querying server (# 1) address = 10.0.0.1
  16:04:13 D15 HEADER:
  16:04:13 D15 opcode = QUERY, id = 17615, rcode = SERVFAIL, flags: qr aa rd
  16:04:13 D15 query = 1, answer = 0, authority = 0, additional = 0
  16:04:13 D15
  16:04:13 D15 QUESTIONS:
  16:04:13 D15 3.0.0.10.in-addr.arpa, type = PTR, class = IN
  16:04:13 D15
  16:04:13 D15 rcode = 2, ancount=0
  16:04:13 D15 NgwResQuery failed
  16:04:13 D15 DMN: MSG 2000909 Accepted connection: [10.0.0.3] ()
  16:04:13 D15 Successful login with client/server access: 10.0.0.130:1677
  16:04:13 D15 DMN: MSG 2000909 Receiving file: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\3RD\receive\df30 fad4.221
  16:04:13 D15 DMN: MSG 2000909 SMTP session ended: [10.0.0.3] ()
  This is an unsuccessful transfer:
  16:06:08 D04 timeout
  16:06:08 D04 NgwResQuery: send error
  16:06:08 D04 NgwResQuery failed
  16:06:08 D04 DMN: MSG 2000933 Accepted connection: [10.0.0.3] ()
  16:06:08 D04 DMN: MSG 2000933 SMTP session ended: [10.0.0.3] ()
  Then the successful email comes back into the system:
  16:06:26 AA8 MSG 2000909 Processing inbound message: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\receive\DF30FAD4 .221
  16:06:26 AA8 MSG 2000909 Sender: [email protected]
  16:06:26 AA8 MSG 2000909 Recipient: [email protected]
  16:06:26 AA8 MSG 2000909 Queuing to MTA
  16:06:26 AA8 MSG 2000909 File: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\wpcsin\4\4daf048 2.8m1 Message Id: (4DAF66F2.B67:244:35687) Size: 163.3 Kb

  Thanks Massimo. I could have swore I already did that but when I did it again just to make sure it solved the problem. Appreciate the help. Have a good one.
  Originally Posted by mrosen
  On 02.05.2011 21:06, avanrav wrote:
  >
  > Hello,
  >
  > I am running GW8.0.2 on Netware 6.5sp8. I have a server that our
  > recreation department uses to send out confirmation emails when a
  > customer signs up for a class. The recreation server and the GWIA are on
  > the same subnet.
  >
  > Here's the problem: When the Rec server sends out the first email
  > confirmation, it gets sent out successfully. Subsequent emails after
  > that fail. After about twenty minutes the next email will go out OK
  > again but subsequent emails will fail.
  >
  > The verbose logs on the GWIA don't tell me much but the diagnostic logs
  > show what looks like a reverse DNS lookup happening at the GWIA for my
  > local IP address of 10.0.0.3 (the Rec server). This reverse DNS lookup
  > fails (probably a timeout) and subsequent emails from this local Rec
  > server get dropped by the GWIA without the DNS lookup.
  >
  > DNS is being done by DNS proxy on Bordermanager 9.2. I've bypassed the
  > Bordermanager DNS and the same thing happens. I've made entries for the
  > local Rec server into a route.cfg file but the GWIA seems to want to
  > ignore these entries and keeps doing the DNS lookup.
  >
  > The wierdest part of the puzzle is that if I restart the proxy on the
  > Bordermanager the next email will go out with, of course, subsequent
  > emails failing. I've looked at the proxy dns cache and can't even find
  > an entry for my Rec server.
  The reverse DNS done by GWIA is normal, and can't be stopped or tricked.
  That it fails in such odd ways must be a bug with the reverse DNS proxy
  of Bordermanager though. Apparently on the second lookups, it doesn't
  answer in a timely manner (the type of answer is irrelevant, just it
  *has* to answer). Use a different, "real" DNS server for your GWIA.
  CU,
  Massimo Rosen
  Novell Product Support Forum Sysop
  No emails please!
  Untitled Document

• Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

  Recently i have installed ASA 5520 firewall, Below is the detail for my network
  ASA 5520 inside ip: 10.12.10.2/24
  Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
  Cisco Call Manager 3825 IP: 10.12.110.2/24
  The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
  the Default Gateway for Data user is 10.12.10.2/24 and
  for the voice users is 10.12.110.2/24
  now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

  Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
  ASA Version 8.2(1)
  name x.x.x.x Mobily
  interface GigabitEthernet0/0
   nameif inside
   security-level 99
   ip address 10.12.10.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address x.x.x.x 255.255.255.252
  object-group service DM_INLINE_SERVICE_1
   service-object tcp-udp
   service-object ip
   service-object icmp
   service-object udp
   service-object tcp eq ftp
   service-object tcp eq www
   service-object tcp eq https
   service-object tcp eq ssh
   service-object tcp eq telnet
  access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
  access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
  access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
  access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu mgmt 1500
  ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
  ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-641.bin
  asdm history enable
  arp timeout 14400
  global (inside) 2 interface
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound_1
  nat (inside) 1 Inside-Network 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 Mobily 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http Mgmt-Network 255.255.255.0 mgmt
  http Inside-Network 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  crypto isakmp policy 30
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400
  telnet Inside-Network 255.255.255.0 inside
  telnet timeout 5
  ssh Inside-Network 255.255.255.255 inside
  <--- More --->              ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy RA_VPN internal
  group-policy RA_VPN attributes
   dns-server value 86.51.34.17 8.8.8.8
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value RA_VPN_splitTunnelAcl
  username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
  tunnel-group RA_VPN type remote-access
  tunnel-group RA_VPN general-attributes
   address-pool VPN-Users
   default-group-policy RA_VPN
  tunnel-group RA_VPN ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
  : end

• Performance Issue behind ASA 5520

  Hi Community!
  I've got an ASA 5520 (8.4.3) Failover Cluster.
  Behind this ASA i have a couple of DMZ Networks. In one of these Networks (lets call it DMZ-A) i have an performance issue.
  So, in DMZ-A i have 2 Windows2012R2 servers.
  IP Server1: 10.0.233.10/24
  IP Server2: 10.0.233.12/24
  If i do an RDP session to Server1 from my Client Computer (at the inside Network - IP: 10.0.20.199) it is really slow. Also File Transfer is very slow. Ping gives me a "normal" replay.
  If i do an RDP session to Server2 from my Client Computer everything works normal.
  If i do an RDP session from Server2 to Server1 everything works normal.
  I did a apcket capture to both servers, and when i analyse them with wireshark there is (at a sertain packet) a big difference. -> see attached files
  ASA_10 -> 10.0.233.10
  ASA_12 -> 10.0.233.12
  Can anybody help me finding out whats going wong there?
  Thanks a lot!!

  Hi ... thanks for the answer.
  Here is the Config. Hope i got all the relevant things in it.
  Somehow the NAT statement causes the trouble:
  object network 10.0.233.10
  nat (dmz233,outside) static XXX.XXX.XXX.133
  Because if i delete this statement, the RDP connection to the server works normal.
  I delete all the network objects and object groups.
  Also all the VPN configs are missing.
  DELETED THE ASA CONFIG BECAUSE I SOLVED THE PROBLEM!!!! -> misconfiguration
  Thanks !!

• What is causing ASA 5520 v8.4 error 305006 for DNS traffic?

  I implemented transparent mode NAT in single context mode on an ASA 5520 v8.4.  Some connections are working well, but I am seeing others unable to resolve DNS.  I am seeing lot of the following error messages:
  Syslog ID 305006 regular translation creation failed for udp src inside: 10.x.x.x/x des outside:192.168.1.3/53
  Any ideas on what I might look for as possible errors in my configuration?

  I implemented transparent mode NAT in single context mode on an ASA 5520 v8.4.  Some connections are working well, but I am seeing others unable to resolve DNS.  I am seeing lot of the following error messages:
  Syslog ID 305006 regular translation creation failed for udp src inside: 10.x.x.x/x des outside:192.168.1.3/53
  Any ideas on what I might look for as possible errors in my configuration?

• Issue with very slow DNS lookup. SBS 2008 R2.

  (Preface: sorry if this is the wrong forum...new at this! X-posted from Reddit)
  I'm stumped with this one. Last week, the server installed a few updates, no problem, a handful of security stuff. Since then, I've been having issues with DNS lookups on every computer on the network. It will hang on "looking up <domain>.com..."
  and then after 20-30 seconds, it will show a "can't find the server" error. BUT THEN! When you click try again, it loads right up. And then it works fine. For a day or so. Then, the next day, or maybe just a few hours later, sometimes while browsing
  the same site, it will do the same thing. It's like the DNS server just forgets the lookups it's already done after a time.
  Things I've tried:
  restarting server (duh)
  rolling back updates
  reinstalling said updates
  restarting all network hardware from the gateway outwards
  restarting the service itself while the server is running
  The only thing the event log shows is a single error during startup - event ID 4015. The text reads:
  "The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is ' '."
  This error has only occurred once that I saw and did not occur on the most recent startup, but the issue is still present
  Active directory seems to be fine. No errors or warnings in it and no info from the event log is showing anything that seems to be helpful.
  I've looked around the KB but every article seems to be troubleshooting a much more specific problem or a different problem altogether, such as a misnamed, stuck, or incorrect DNS zone, or a DNS lookup that fails to complete altogether.

  Hi Craigglesofdoom,
  Would you please let us know current situation of this issue? Did you refer to above suggestions and solve this problem? If any update, please feel free to let us know.
  Please also run SBS BPA tool and check if find relevant issues.
  For Event ID 4015, please refer to following article and check if can help you.
  Event ID 4015 — DNS Server Active Directory Integration
  -->The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly.
  Please use dcdiag command-line tool. Any find?
  Domain Controller Diagnostics Tool (dcdiag.exe)
  Dcdiag for DNS: Test details explained
  Hope this helps.
  Best regards,
  Justin Gu
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]