ASA 5520 Reverse DNS lookup Issue
We are having Reverse DNS issues.
10.10.0.10 = Exchange Server
Windows 2003 = DNS server internal.
Setup: 1 to 1 NAT
10.10.0.10 smtp --> 70.89.133.218 smtp
Int gi0/2 = 70.89.133.217
Incoming Access Rule:
any --> 70.89.133.218 smtp permit
When we do a WhatismyIp on exchange server it says the IP is 70.89.133.217
It should be 70.89.133.217.
This is causing our email to be rejected from external sites due to reverse dns not returning 218. External people say are email is coming from 217. Comcast says the reverse pointer is setup correctly.
What are we doing wrong?
Thanks for any help you can offer.
Correction:
When we do a WhatismyIp on exchange server it says the IP is 70.89.133.217
It should be 70.89.133.218
217 is the interface gi0/2 on the ASA.
Similar Messages
-
HELP! Disabling reverse DNS lookups on client
Is there a property that can be set to disable the reverse DNS
lookup for client requests? I read that if reverse lookups are
no working then client requests can take an extra 15-30 seconds.
In our environment reverse lookups are not something we can
count on so we would like to disable them completely. Please let
me know which property can be set it if any to accomplish this.
Regards,
RobertDon't we all ;)
WL 5.1 sp3
Sol 2.6
J2 1.2.1_04
Rich Nill wrote in message <[email protected]>...
Paul,
What version of Weblogic are you running? I want to make sure we don'tsuffer
from the same problem.
Thanks,
Rich
Paul Iter wrote:
Would this patch have any impact on the problem I described in
"performance
degradation PROBLEM"?
Thanks,
Paul
Mark Griffith wrote:
There is another issue here though, when we print out server ID's we
call
java.net.InetAddress.toString() which ends up in a DNS call.
Contact support they have a one-off patch.
cheers
mbg
In article <[email protected]>, [email protected]
says...
Is there a property that can be set to disable the reverse DNS
lookup for client requests? I read that if reverse lookups are
no working then client requests can take an extra 15-30 seconds.
In our environment reverse lookups are not something we can
count on so we would like to disable them completely. Please let
me know which property can be set it if any to accomplish this.
Regards,
Robert
==================================================
NewsGroup Rant
==================================================
Rant 1.
The less info you provide about your problem means
the less we can help you. Try to look at the
problem from an external perspective and provide
all the data necessary to put your problem in
perspective. -
How to disable reverse DNS lookup on SSH login
How do I disable reverse DNS lookup on SSH login in Solaris 9? I'm using the version bundled with Solaris 9.
OpenSSH documentation says that I should set UseDNS to no but the option doesnt work in the bundled version of SSH server.
I do not want to upgrade the bundled version of SSH server. Your help will be greatly appreciated.Ah nevermind. I think it was some command I ran changing english.lproj that did this so i am starting over.
-
Is it possible to override authorative reverse DNS lookups?
Hello,
I am part of collaborative workgroup which has a group of networked computers that are installed at each others sites. This means that often a server has two names - a "site name", which is the name in DNS, such as BigFoot.yale.edu at X.X.X.5 and a "workgroup name", the name used by the group for distributed processes, such as YaleBigFoot.workgroup.net also at X.X.X.5 in our /etc/hosts file.
We are trying to use globus and GSI authentication in between the servers which requires valid reverse dns lookups, such that a CN=host/ .
On unix'y servers, this requires setting up a rather comples /etc/hosts and editing /etc/nsswitch so that /etc/hosts is used authoritively for all lookups.
I have been trying to replicate this behavior for our Mac users, and I'm running into problems. I have read all the "reverse dns" documentation I can - and it appears that my problem is different.
I have setup a /etc/hosts file and a /etc/lookupd/hosts configuration file and a /etc/named.conf section for workgroup.net and a /var/named/workgroup.net.zone file.
However I still get the following output:
$ host yale-bigfoot.workgroup.net
yale-bigfoot.workgroup.net has address X.X.X.5
$ host X.X.X.5
X.X.X.5.in-addr.arpa domain name pointer workgroup-router-node.net.yale.edu.
Is it possible to override the authorative reverse lookups?
Thank you in advance,
Brendan
PS: names and address are not actual
17' SuperDrive Powerbook G4 Mac OS X (10.4.6)However, you can achieve do something that looks similar to overriding.
class Parent {
Parent(int i, String s) {
// do stuff
class Child extends Parent {
Child(int i, String s) {
super(i, s);
// do Child stuff here
new Parent(1, "abc");
new Child(2, "xyz");Although that's not overriding, it sort of looks similar. Is this what you were talking about? -
9i app 9.0.2.01?Does the reverse DNS lookup have to be set up for a FQDN
HEy guys:
I'M ALWAYS GETTING STUCK IN THE SAME PLACE WHEN I AM TRYING TO INSTALL 9I APPSERVER 9.0.2.0.1 REL 2. ITS ALWATYS HAPPENING AT THE oRACLE db CONFIG assistant i have set up my host file and when i ping -a servername i get the full reply back ex. servername.domain.com but now when i ping -a 111.111.111.111 i do not get the host name back this is b/c i do not have the PTR record set up. Do i have to have a reverse dnslookup working for what oracle is stating is "FQDN" and not just the dns lookup working...how is oracle installer looking at this piece.
that is the only i see that i don't have when i look at my computer name (by the way this is a winnt environment)in properties it has the FQDN. i also have set up the host file correctly resembling 111.111.111.111 servername.domainname.com servername oracleinstall. What else am i missing here guys? thanks for the help in advance
regards,
robertActually, these issues were/are documented - see the addendum. Also, the install guide details which files need to be updated with the FQDN/IP.
Though it does not have to be setup in your DNS server (say if you are just doing it on a single tier to test), those machines which are looking to connect to it would need to have the proper additions to the hosts file as well.
As for why the 'non-default' http ports, this was a result of Unix security. Non-root users cannot start processes using ports below a specific range. As a result, oracle defaults them to a higher number allowing your oracle account whom lacks root access to start the http service.
As for non-oracle responses, this isn't really an official forumn. I believe those oracle peeps who do respond here are doing so on their own. If you need official/immediate responses, then i would recommend using metalink for an itar or the metalink forums.
Now on to Robert's second question. See metalink Note:209114.1: How to Change the Port used for Oracle 9iAS Portal 9.0.x. If you don't have access to metalink, let me know and I can forward the note or post it here.
Have fun! -
Reverse DNS Lookup Failed!
I started this thread weeks ago in the mail category, because it was related to sending e-mails to certain accounts. If you could please look at this thread I would greatly appreciate it so I don't have to re-explain the whole situation. I need to get this resolved as soon as possible and I don't know what else to do. I have had tons of help on the subject, yet no one can figure out why it's not working. You can do reverse resolution to my server just fine and my service provider shows it's pointing to my dns servers but somewhere in the mix it won't resolve any other way except directly to mine.
http://discussions.apple.com/thread.jspa?threadID=323884&tstart=0
I have read every article on here that has revserse DNS in it, yet still no luck. Thanks.Zone File:
$TTL 86400
funsunstudio.com. IN SOA ns1.funsunstudio.com. marshall.funsunstudi
o.com. (
2006013000 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1h ) ; minimum
funsunstudio.com. IN NS ns1.funsunstudio.com.
funsunstudio.com. IN NS ns2.funsunstudio.com.
funsunstudio.com. IN A 12.146.245.40
ns1 IN A 12.146.245.40
ns2 IN A 12.146.245.41
mail IN A 12.146.245.34
funsunstudio.com. IN MX 0 mail
www IN A 12.146.245.42
* IN A 12.146.245.42
oms IN A 12.146.245.42
named.conf
zone "funsunstudio.com." in {
file "funsunstudio.com.zone";
type master;
zone "245.146.12.in-addr.arpa" IN {
file "db.12.146.245";
type master;
db.12.146.245 file:
$TTL 86400
245.146.12.in-addr.arpa. IN SOA ns1.245.146.12.in-addr.arpa. mar$
2006013000 ; serial
3h ; refresh
1h ; retry
1w ; expiry
1h ) ; minimum
245.146.12.in-addr.arpa. IN NS ns1.funsunstudio.com.
245.146.12.in-addr.arpa. IN NS ns2.funsunstudio.com.
32/28.245.146.12.in-addr.arpa. IN PTR ns1.funsunstudio.com.
32/28.245.146.12.in-addr.arpa. IN PTR ns2.funsunstudio.com.
34.245.146.12.in-addr.arpa. IN PTR mail.funsunstudio.com.
42.245.146.12.in-addr.arpa. IN PTR www.funsunstudio.com.
Yes I know I am resolving it for the whole C-Class, but should not affect my issue. Thanks for the help Camelot. BTW I am basing this all off the e-mail AT&T sent me about the setup, so if it's totally wrong please don't yell too bad. -
[solved] disable reverse dns caching (pdnsd)
Hey guys, i have setup pdnsd for dns caching, and it's working fine. There's a small issue though. I would like to disable caching for reverse dns lookups. This is because the cache file is getting filled up with thousand of such entries, due to p2p software such as rtorrent.
Is there an option for the pdnsd.conf file which can disable this feature?
Last edited by x33a (2014-01-23 05:51:37)After extensive searching, I found that this can be achieved by disabling PTR rr type, but pdnsd won't run without it.
For reference purpose:
Support for different rr types can be disabled by modifying src/rr_types.in accordingly (source code file). unfortunately, PTR along with a few other rr types is essential to pdnsd, so disabling it is not an option. -
Set up reverse DNS for virtual mail hosting
I need a bit of server configuation advice.
I have a static IP and two public domains on a Snow Leopard server connected using NAT behind a firewall - with the necessary port forwarding to ensure all works.
1. abc.com is my primary domain on the server - server.abc.com
2. I have xyz.com set up as a virtual domain and also as a virtual mail host
This setup has worked well for a long time but I have found that emails to [email protected] are going missing. If I check my mx records using one of the web based tools it show an error on the reverse dns for server.xyz.com showing a reverse DNS of server.abc.com.
So the question - is it possible to have secondary 'virtual' DNS record on the server so reverse DNS works for the virtual mail host xyz.com? If not how do I handle the reverse DNS problem which i think is causing some external mail server to reject mail due to the inconsistency on the reverse DNS lookup?
Many thanks for any suggestionsSMTP requires a DNS A record.
A DNS A record is also known as a machine record.
A DNS A record inherently means that forward DNS and reverse DNS will match.
The forward translation translates the host name to the IP address.
The reverse translation translates the IP address to host name.
When the full translation produces the same host name, that's an A record.
DNS CNAME records are aliases, and are used for virtual hosts.
CNAME records inherently do not match the reverse DNS translations.
To get your configuration to work, your server must have an A record.
That means forward and reverse DNS will match.
Any of the virtual hosts within your mail server then all use an MX pointing at the A record host.
If you have your DNS hosted somewhere other than your ISP, then you'll need your ISP to set up a DNS PTR.
The DNS PTR is the reverse translation; address to name.
If you have your own DNS services within your network (as would be typical with a privately-addressed NAT'd network), set that up as a virtual host within SMTP.
Here is some related reading on external (public) DNS, as related to SMTP servers and such. -
Block Reverse DNS failures or not?
Hey guys,
Philosphical question, which I honestly didn't think I'd have to ask...
Do you block messages from servers that fail reverse DNS lookup (eg no pointer record or non matching pointer record)?
We recently tightened things up, and put those in the blacklist, and I'm seeing more legit senders getting dropped than I expected.
Am I expecting too much?
KenYou can enable these three checkbox in the sendergroup BLACKLIST:
-Connecting host PTR record does not exist in DNS.
-Connecting host PTR record lookup fails due to temporary DNS failure.
-Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A).
Be aware for the False positives. -
When I run the "last" command I would like to see IP address of the user instead of the host names. I assume Solaris is doing some type of reverse ip lookup and displaying the host name here. Is there a way of disabling reverse DNS lookup and what other consequenses should I consider before doing so.
New_DS_User wrote:
When I run the "last" command I would like to see IP address of the user instead of the host names. I assume Solaris is doing some type of reverse ip lookup and displaying the host name here.More like it does the reverse IP lookup and logs the name. There's no lookup at display time.
Is there a way of disabling reverse DNS lookup and what other consequenses should I consider before doing so.I don't know any method of doing so for just the login stuff. You could disable DNS, but that has other consequences. :-)
Darren -
GWIA doing DNS lookup for local address
Hello,
I am running GW8.0.2 on Netware 6.5sp8. I have a server that our recreation department uses to send out confirmation emails when a customer signs up for a class. The recreation server and the GWIA are on the same subnet.
Here's the problem: When the Rec server sends out the first email confirmation, it gets sent out successfully. Subsequent emails after that fail. After about twenty minutes the next email will go out OK again but subsequent emails will fail.
The verbose logs on the GWIA don't tell me much but the diagnostic logs show what looks like a reverse DNS lookup happening at the GWIA for my local IP address of 10.0.0.3 (the Rec server). This reverse DNS lookup fails (probably a timeout) and subsequent emails from this local Rec server get dropped by the GWIA without the DNS lookup.
DNS is being done by DNS proxy on Bordermanager 9.2. I've bypassed the Bordermanager DNS and the same thing happens. I've made entries for the local Rec server into a route.cfg file but the GWIA seems to want to ignore these entries and keeps doing the DNS lookup.
The wierdest part of the puzzle is that if I restart the proxy on the Bordermanager the next email will go out with, of course, subsequent emails failing. I've looked at the proxy dns cache and can't even find an entry for my Rec server.
Attached are the entries from the Diagnostic logs of the GWIA. Novell tech support has assured me that the GWIA and the BM are working fine. I am also having this problem with a scanner that scans then emails but all other email and Bordermanager are functioning fine. This server and scanner were not having this problem before upgrading to GW8.0.2.
I don't understand why GWIA is doing DNS lookups for a local address and I don't know what I can do to stop it. Any help would be greatly appreciated.
This is a successful transfer right after restarting the proxy: 10.0.0.3 is the Rec server, 10.0.0.130 is the GWIA and 10.0.0.1 is the Bordermanager.
16:04:13 D15 NgwResQuery(3.0.0.10.in-addr.arpa, 1, 12)
16:04:13 D15 Querying server (# 1) address = 10.0.0.1
16:04:13 D15 HEADER:
16:04:13 D15 opcode = QUERY, id = 17615, rcode = SERVFAIL, flags: qr aa rd
16:04:13 D15 query = 1, answer = 0, authority = 0, additional = 0
16:04:13 D15
16:04:13 D15 QUESTIONS:
16:04:13 D15 3.0.0.10.in-addr.arpa, type = PTR, class = IN
16:04:13 D15
16:04:13 D15 rcode = 2, ancount=0
16:04:13 D15 NgwResQuery failed
16:04:13 D15 DMN: MSG 2000909 Accepted connection: [10.0.0.3] ()
16:04:13 D15 Successful login with client/server access: 10.0.0.130:1677
16:04:13 D15 DMN: MSG 2000909 Receiving file: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\3RD\receive\df30 fad4.221
16:04:13 D15 DMN: MSG 2000909 SMTP session ended: [10.0.0.3] ()
This is an unsuccessful transfer:
16:06:08 D04 timeout
16:06:08 D04 NgwResQuery: send error
16:06:08 D04 NgwResQuery failed
16:06:08 D04 DMN: MSG 2000933 Accepted connection: [10.0.0.3] ()
16:06:08 D04 DMN: MSG 2000933 SMTP session ended: [10.0.0.3] ()
Then the successful email comes back into the system:
16:06:26 AA8 MSG 2000909 Processing inbound message: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\receive\DF30FAD4 .221
16:06:26 AA8 MSG 2000909 Sender: [email protected]
16:06:26 AA8 MSG 2000909 Recipient: [email protected]
16:06:26 AA8 MSG 2000909 Queuing to MTA
16:06:26 AA8 MSG 2000909 File: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\wpcsin\4\4daf048 2.8m1 Message Id: (4DAF66F2.B67:244:35687) Size: 163.3 KbThanks Massimo. I could have swore I already did that but when I did it again just to make sure it solved the problem. Appreciate the help. Have a good one.
Originally Posted by mrosen
On 02.05.2011 21:06, avanrav wrote:
>
> Hello,
>
> I am running GW8.0.2 on Netware 6.5sp8. I have a server that our
> recreation department uses to send out confirmation emails when a
> customer signs up for a class. The recreation server and the GWIA are on
> the same subnet.
>
> Here's the problem: When the Rec server sends out the first email
> confirmation, it gets sent out successfully. Subsequent emails after
> that fail. After about twenty minutes the next email will go out OK
> again but subsequent emails will fail.
>
> The verbose logs on the GWIA don't tell me much but the diagnostic logs
> show what looks like a reverse DNS lookup happening at the GWIA for my
> local IP address of 10.0.0.3 (the Rec server). This reverse DNS lookup
> fails (probably a timeout) and subsequent emails from this local Rec
> server get dropped by the GWIA without the DNS lookup.
>
> DNS is being done by DNS proxy on Bordermanager 9.2. I've bypassed the
> Bordermanager DNS and the same thing happens. I've made entries for the
> local Rec server into a route.cfg file but the GWIA seems to want to
> ignore these entries and keeps doing the DNS lookup.
>
> The wierdest part of the puzzle is that if I restart the proxy on the
> Bordermanager the next email will go out with, of course, subsequent
> emails failing. I've looked at the proxy dns cache and can't even find
> an entry for my Rec server.
The reverse DNS done by GWIA is normal, and can't be stopped or tricked.
That it fails in such odd ways must be a bug with the reverse DNS proxy
of Bordermanager though. Apparently on the second lookups, it doesn't
answer in a timely manner (the type of answer is irrelevant, just it
*has* to answer). Use a different, "real" DNS server for your GWIA.
CU,
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
Untitled Document -
Connectivity Issue between ASA 5520 firewall and Cisco Call Manager
Recently i have installed ASA 5520 firewall, Below is the detail for my network
ASA 5520 inside ip: 10.12.10.2/24
Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
Cisco Call Manager 3825 IP: 10.12.110.2/24
The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
the Default Gateway for Data user is 10.12.10.2/24 and
for the voice users is 10.12.110.2/24
now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
ASA Version 8.2(1)
name x.x.x.x Mobily
interface GigabitEthernet0/0
nameif inside
security-level 99
ip address 10.12.10.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp
service-object ip
service-object icmp
service-object udp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq telnet
access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 Inside-Network 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Mobily 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Mgmt-Network 255.255.255.0 mgmt
http Inside-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh Inside-Network 255.255.255.255 inside
<--- More ---> ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 86.51.34.17 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_splitTunnelAcl
username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-Users
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
: end -
Performance Issue behind ASA 5520
Hi Community!
I've got an ASA 5520 (8.4.3) Failover Cluster.
Behind this ASA i have a couple of DMZ Networks. In one of these Networks (lets call it DMZ-A) i have an performance issue.
So, in DMZ-A i have 2 Windows2012R2 servers.
IP Server1: 10.0.233.10/24
IP Server2: 10.0.233.12/24
If i do an RDP session to Server1 from my Client Computer (at the inside Network - IP: 10.0.20.199) it is really slow. Also File Transfer is very slow. Ping gives me a "normal" replay.
If i do an RDP session to Server2 from my Client Computer everything works normal.
If i do an RDP session from Server2 to Server1 everything works normal.
I did a apcket capture to both servers, and when i analyse them with wireshark there is (at a sertain packet) a big difference. -> see attached files
ASA_10 -> 10.0.233.10
ASA_12 -> 10.0.233.12
Can anybody help me finding out whats going wong there?
Thanks a lot!!Hi ... thanks for the answer.
Here is the Config. Hope i got all the relevant things in it.
Somehow the NAT statement causes the trouble:
object network 10.0.233.10
nat (dmz233,outside) static XXX.XXX.XXX.133
Because if i delete this statement, the RDP connection to the server works normal.
I delete all the network objects and object groups.
Also all the VPN configs are missing.
DELETED THE ASA CONFIG BECAUSE I SOLVED THE PROBLEM!!!! -> misconfiguration
Thanks !! -
What is causing ASA 5520 v8.4 error 305006 for DNS traffic?
I implemented transparent mode NAT in single context mode on an ASA 5520 v8.4. Some connections are working well, but I am seeing others unable to resolve DNS. I am seeing lot of the following error messages:
Syslog ID 305006 regular translation creation failed for udp src inside: 10.x.x.x/x des outside:192.168.1.3/53
Any ideas on what I might look for as possible errors in my configuration?I implemented transparent mode NAT in single context mode on an ASA 5520 v8.4. Some connections are working well, but I am seeing others unable to resolve DNS. I am seeing lot of the following error messages:
Syslog ID 305006 regular translation creation failed for udp src inside: 10.x.x.x/x des outside:192.168.1.3/53
Any ideas on what I might look for as possible errors in my configuration? -
Issue with very slow DNS lookup. SBS 2008 R2.
(Preface: sorry if this is the wrong forum...new at this! X-posted from Reddit)
I'm stumped with this one. Last week, the server installed a few updates, no problem, a handful of security stuff. Since then, I've been having issues with DNS lookups on every computer on the network. It will hang on "looking up <domain>.com..."
and then after 20-30 seconds, it will show a "can't find the server" error. BUT THEN! When you click try again, it loads right up. And then it works fine. For a day or so. Then, the next day, or maybe just a few hours later, sometimes while browsing
the same site, it will do the same thing. It's like the DNS server just forgets the lookups it's already done after a time.
Things I've tried:
restarting server (duh)
rolling back updates
reinstalling said updates
restarting all network hardware from the gateway outwards
restarting the service itself while the server is running
The only thing the event log shows is a single error during startup - event ID 4015. The text reads:
"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is ' '."
This error has only occurred once that I saw and did not occur on the most recent startup, but the issue is still present
Active directory seems to be fine. No errors or warnings in it and no info from the event log is showing anything that seems to be helpful.
I've looked around the KB but every article seems to be troubleshooting a much more specific problem or a different problem altogether, such as a misnamed, stuck, or incorrect DNS zone, or a DNS lookup that fails to complete altogether.Hi Craigglesofdoom,
Would you please let us know current situation of this issue? Did you refer to above suggestions and solve this problem? If any update, please feel free to let us know.
Please also run SBS BPA tool and check if find relevant issues.
For Event ID 4015, please refer to following article and check if can help you.
Event ID 4015 — DNS Server Active Directory Integration
-->The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly.
Please use dcdiag command-line tool. Any find?
Domain Controller Diagnostics Tool (dcdiag.exe)
Dcdiag for DNS: Test details explained
Hope this helps.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
I have run across a rather tiring error in this exercise. when i Try to run the completed DeskTopNotification adobe air application the window for the program fails to appear on my desktop. No errors appear when I save the file, also I tried running
-
Webdispatcher to forward requests from internet to intranet?
We need to direct requests from internet to our content server which is in the intranet (so that the content server images can be seen from the internet). We have a WAS WebDispatcher in the DMZ. Can we use this WD to provide the connectivity? For exa
-
Online Repair Support Services Down???
My iPod nano screen just went blank on me yesterday. I tried requesting repair services online for my defective iPod nano. However, the support services are down after the page about the "Five Rs". Alas, my warranty is due to expire tomorrow. I need
-
Syncing w/iTunes: Info Tab
I seem to recall that when MobileMe is enabled as your syncing method, the Info tab in iTunes would say something to the effect of "your information is being synced over the air with MobileMe." Now, since iTunes 9.2 and iOS4, this doesn't appear anym
-
Psd "styles" lost in FCatalyst
i can not import styles coated text to FC, fonts turn basic color? Does anyone got the same result?