DNS Inspect on FWSM module

We picked up a strange problem on the FWSM . DNS Queries sent to UDP 53 for the DNS services hosted on a Linux server failed to work .
DNS INSPECT on the Firewalls had to be turned off & DNS tests were fired again to get this working . Is this a know problem or do we have a workaround instead of disabling the INSPECT feature .

With the introduction of DNSsecurity large DNS requests would require authentication. This was first introduced in version 8.2 of the ASA firewall when we changed from the fixed size of 512 Bytes to Auto.
The FWSM was left behind because it was either way going to be replaced by the ASA-SM.
I remember this issue when the Windows Server 2008 came out.
I would rather check exactly why the packet is being dropped with the logs rather than doing any suggestions.
Mike

Similar Messages

Two FWSM module act as Single

Hi ALL,
We have two switches and TWo FWSM module is inserted into the Two switches .Can I add the FWSM as a separate device instead of module because i can't telnet the fwsm from Switch.Customer is not ready to configure the telnet option.FWSM module is working as a active and active mode..so virtual single ip is configured....How can i add the FWSM module in this network.

You can use as the separate device. For the further description the following URL for the configuration for the FWSM will help you
http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/context.html

Replacing Faulty FWSM module in Cluster

Hi,
We have a faulty FWSM module in Cisco 6509 switch in Active/Standby cluster mode
We have purchased a refurbished FWSM module to replace it. It has the same FWSM OS 4.0 (4) and is in factory default configuration
What procedures should I follow to make this unit live and sync the config between the current active unit to this one.
Can one of you please explain me the steps and if an link to an article which explains this will be great
Thanks,
Chandru

Hi Bro
Firstly, insert the newly purchased refurnished Cisco FWSM module into the slot, where the fault Cisco FWSM module was originally located. Second, paste into the configuration from the working unit to this newly purchased refurnished Cisco FWSM module. Note: Please do ensure under the failover commands, one side is primary and the other side is secondary. Lastly, issue the command show failover, to ensure the failover status i.e. NORMAL, is in good working condition.
I’ve done this countless times, you should do just fine. This is easy.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fail_f.html
Regards,
Ram

DNS Inspection Denial of Service Vulnerability check

Hi Everyone,
I am checking this cisco link ---http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa for
DNS Inspection Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the
show running-config access-list <acl_name>
command where
acl_name
is the name of the access-list used in the
class-map
to which the DNS inspection is applied.
This can be found by using the
show running-config class-map
and
show running-config policy-map
commands.
The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
ciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit tcp any any
ORciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit ip any any
ciscoasa# show running-config class-map
class-map DNS_INSPECT_CP
match access-list DNS_INSPECT
ciscoasa# show running-config policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
class DNS_INSPECT_CP
inspect dns preset_dns_map
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
show running-config policy-map
DNS Inspection Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the show running-config access-list <acl_name>
command where acl_name
is the name of the access-list used in the class-map
to which the DNS inspection is applied.
This can be found by using the show running-config class-map
and show running-config policy-map
commands.
The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
ciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit tcp any any
ORciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit ip any any
ciscoasa# show running-config class-map
class-map DNS_INSPECT_CP
match access-list DNS_INSPECT
ciscoasa# show running-config policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
class DNS_INSPECT_CP
inspect dns preset_dns_map
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
I check my asa and ran the command
show running-config policy-map
policy-map global_policy
class inspection_default
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns
inspect http
inspect ftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map map
class inspection_default
Does this confirm that this asa is vulnerabile?
Regards
Mahesh

Hi,
The post says this
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.
It also says
Note:Cisco ASA Software will not inspect DNS packets over TCP by default.
And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.
- Jouni

DNS Inspect packet too long (inspect-dns-pak-too-long)

All,
               I have been seeing a large number of drops because of the DNS Inspect packet being too long. Does anyone have any suggestions? I have tried increasing the maximum message length but that does not seem to have any impact. Thanks!
               Dave

Julio,
     Thanks for the quick response! I will try a packet capture. I did try removing the maximum-length option but I am still seeing drops when I do a "sh asp drop | inc dns" command. DNS Inspect packet too long (inspect-dns-pak-too-long) increments pretty quick.
     Dave

DNS Inspection Denial of Service Vulnerability

Advisory ID: cisco-sa-20131009-asa
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
I have a Pix running version 8.0.4 with the following configuration:
inside interface:      192.168.231.254/255.255.255.0
outside interface:     10.100.2.254/255.255.255.0
no nat-control
access-list test permit ip any any log
access-group test in interface outside
access-group test in interface inside
I have a window 2008R2 residing on the Internal interface of the firewall. The domain controller resides on the outside interface of the firewall.
I went ahead and implement the change recommended by Cisco
access-list DNS_INSPECT extended permit udp any any
class-map DNS_INSPECT_CP
   match access-list DNS_INSPECT
policy-map global_policy
   class DNS_INSPECT_CP
     inspect dns preset_dns_map
However, after implement the workaround, my windows 2008R2 machine on the inside network can NOT join with AD on the outside network.
on the log of the firewall I see this:
Oct 31 14:34:09 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 14:34:17 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
I even change the DNS maximum length to 8192 but it still does not work.
I remove the recommendation from the configuration, everything works fine after that.
Anyone knows why?
Thanks in advance

Julio Carvajal wrote:U do not have this command right available at the CLI rightmessage-length maximum client auto
     I do
CiscoPix# sh run policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect sqlnet
inspect dns preset_dns_map
class class_sunrpc_tcp
inspect sunrpc
class DNS_INSPECT_CP
inspect dns preset_dns_map
CiscoPix#
Julio Carvajal wrote: Then clear-local host try one more time and provide the logs.Note:access-list test permit ip any any logaccess-group test in interface outsideaccess-group test in interface insideThat ACL means u have no firewall in place
I am very aware of this. At this point, it does not matter, it just want the firewall to function like a routing device.
It still does NOT work. Here is the log:
Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61982) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]
Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61983) -> outside/10.100.2.128(389) hit-cnt 1 first hit [0x63a9cac7, 0x0]
Oct 31 17:57:25 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 17:57:32 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 17:57:33 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(50955) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]

FWSM module flapping on 6509 backplane

I have a 6509 with an active FWSM in slot 3 and failover (standby) in slot 4.
I noticed today that a message appeared in my switch log that the module in slot 3 was seemingly flapping between the port-channels on the backplane. Po307 should be the active FWSM and as far as I know, Po308 should be the failover/standby.
The message was
%MAC_MOVE-SP-4-NOTIF: Host 0016.c782.eb80 in vlan 307 is flapping between port po308 and po307
And a bunch of vlans are listed in this error, which represent the firewalled vlans on the FWSM.
When I check to see if there was a failover event on the FWSM, it does not indicate that there was.
What might be going on here?

Hi,
The switch has its normal vibrations and over time those vibrations can cause a module to slightly come away from the backplane. When this happens, the supervisors keepalive polling does not receive a response from the module within the allotted time and the supervisor reboots the module in order to try to gain a better connection to it. If the module still does not respond to the polls, the supervisor continuously reboots the module, and eventually puts it into error disable and does not allow any power to reach this module.
A simple reseat of the module corrects this issue 90 percent of the time. If you reseat the module, it realigns the switch fabric and ensures a firm connection to the backplane.
Also refer this post
HTH
"Please rate helpful posts"

Eq 8080 commands not being entered on FWSM module

Hi There,
I'm having an issue with some Firewalls in my network. I have several firewall modules (WS-SVC-FWM-1) in 6509s,
FWSM Firewall Version 2.3(3) <system>
FWSM Device Manager Version 4.1(3)
I'm trying to enter the following rules
access-list ACL-IN extended permit ip host X.X.X.0 X.X.X.0 255.255.255.0 eq 8080
access-list ACL-IN extended permit ip host X.X.X.1 X.X.X.0 255.255.255.0 eq 8080
access-list ACL-IN extended permit ip host X.X.X.2 X.X.X.0 255.255.255.0 eq 8080
access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.0 eq 8080
access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.1 eq 8080
access-list ACL-OUT extended permit ip X.X.X.0 255.255.255.0 host X.X.X.2 eq 8080
What happens is, these commands don't go into the configuration, and I don't get an error, but any rule after it also does not get copied into the config when I copy and paste a list of commands. All the commands before it go in no problem.
Does it not like eq 8080? Can I not do 'permit ip' with an eq command? Do I have to use 'permit tcp' to enter the command?
Thanks.

If you are going to specify a port you need to use the TCP or UDP protocol. You are specifying IP so you will get an error because of this.

6500 has IDSM-2 and FWSM modules

i got a task to configure Catalyst 6509 supervisor engin sup720-10g-3c and has FWSM and IDSM-2 service modules .
what consideration should i take and is there is any configuration example for both
thank you for your help

They are many posts on this forum on this subject, did you try using the search function?
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml
Regards
Farrukh

Cisco 6516 FWSM Module problem

Hi
We have a 6513 cisco FW with 2 FWSM Active /Standby Failover , When The primery module is in active state the users sessions is suddenly disconnected while the ping is OK (no request time packet ) now we have to work with only one module , what should we do.
Thankx
Dalia

Hello Dalia,
Could you explain the issue a litle further???
Are you saying that when having both FWSM in active/standby and with the primary in active state all of the sessions are dropped except ICMP?
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com

Migrating from FWSM to ASA Service Module (ASASM)

I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.
With that in mind, can anyone confirm whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.
In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
Thanks in advance.

So long as the chassis has enough power to power these modules you are good.
Upto 4 FWSMs can be installed in a chassis.
Upto 4 ASA-SM modules can be installed in a chassis.
FWSM:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html
• Up to 4 FWSMs (20 Gbps) per Catalyst 6500 chassis
ASA-SM
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11621/qa_c67-662207.html
Q. How many ASA Services Modules can I place in a Cisco Catalyst 6500 Series chassis?
A. Up to four independent ASA Services Modules can simultaneously run in a Cisco Catalyst 6500-E Series chassis.
-Kureli
Checkout my breakout session at Cisco Live 2013, Orlando, Florida.
BRKSEC-2024 Deploying Next-Generation Firewall Services on the ASA
Room 314A Tuesday, June 25 3:00 PM - 4:30 PM

Cisco ASA unable to inspect Microsoft DNS

Hi All,
I have setup Botnet Filter and is working good except for one thing.
While it can inspect DNS packets for clients that have DNS Servers outside my network (for example OpenDNS) it can't inspect packets from my internal DNS Infrastructure that is a Microsoft DNS, the forwarders setup on my DNS servers are Google's and OpenDNS.
My DNS Servers sits on the same subnet of the client and passes through the ASA so I wonder why the ASA is not able to catch their traffic up.
Here is the relevant parts of the config
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside classify-list botnet-exclude
dynamic-filter drop blacklist interface outside action-classify-list botnet-excl ude threat-level range very-low very-high
dynamic-filter ambiguous-is-black
class-map inspection_default
match default-inspection-traffic
class-map botnet-DNS
match port udp eq domain
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect dns migrated_dns_map_1
class class-default
user-statistics accounting
policy-map botnet-policy
class botnet-DNS
inspect dns dynamic-filter-snoop
Does somebody have any clues?

Missed a little part of config
service-policy global_policy global
service-policy botnet-policy interface outside

ACE tcp & udp inspection

Hi,
I want to create a security model where one vlan is more trusted than the other (Like Pix/ASA or a router with inspection enabled). However, when i want to create a TCP or UDP inspection i can only select between a limited number of protocols.
I've created 2 class maps :
class-map match-all TCP_INSPECT
2 match port tcp any
class-map match-all UDP_INSPECT
2 match port udp any
The combined them into a policy-map :
policy-map multi-match INSPECTION
class TCP_INSPECT
class UDP_INSPECT
However when i enter the policy-map\TCP_INSPECT i can only choose between : dns Configure dns inspection ftp Configure ftp inspection http Configure http inspection icmp Configure icmp inspection rtsp Configure rtsp inspection
However, i do have for example SMB traffic running from one vlan to the other. How can i inspect that traffic so i don't have to enter an extra access-list entry ?

The ACE module comes with limited amount of security features.
You will not have all the PIX or FWSM features on the ACE module.
This is mostly a loadbalancer with some security features.
Gilles.

FWSM strange acl behavior

Hi!
I have FWSM running 4.1(6) with two security contexts.
The context test config is:
FWSM/test# sh run
: Saved
FWSM Version 4.1(6) <context>
hostname test
domain-name fwsm.spbstu.ru
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
interface Vlan556
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
interface Vlan557
nameif dmz
security-level 50
ip address 172.16.2.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list permit_any extended permit tcp any any
access-list permit_any extended permit udp any any
access-list permit_any extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list dmz_in extended permit udp any any
access-list dmz_in remark dmz_in
access-list dmz_in extended permit tcp any any
access-list dmz_out extended permit icmp any any
access-list dmz_out extended permit udp any any
access-list dmz_out extended permit tcp any any
access-list inside_in extended permit tcp any eq 3389 any
access-list inside_in extended permit tcp any any
access-list inside_in extended deny ip any any
access-list inside_out extended permit icmp any any
access-list inside_out extended permit udp any any
access-list inside_out extended permit tcp any any
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu dmz 1500
no asdm history enable
arp timeout 14400
nat-control
access-group permit_any in interface inside
access-group permit_any out interface inside
access-group permit_any in interface dmz
access-group permit_any out interface dmz
route dmz 0.0.0.0 0.0.0.0 172.16.2.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ZBZ8GNEdrJsjFvsR encrypted
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
no snmp-server location
no snmp-server contact
telnet timeout 60
ssh timeout 60
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect netbios
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
service-policy global_policy global
Cryptochecksum:632fecb27da8e4b662d4197c60f1b22a
: end
Routing and vlan config is fine for sure.
but access is denied while ACL counters are 0
Does anybody have any ideas where I should look more carefully?
system context config is
FWSM# sh run
: Saved
FWSM Version 4.1(6) <system>
resource acl-partition 12
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan555
interface Vlan556
interface Vlan557
interface Vlan1216
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
description default_context
member default
allocate-interface Vlan1216
allocate-interface Vlan555
allocate-acl-partition 0
config-url disk:/admin.cfg
context test
description test
member default
allocate-interface Vlan556
allocate-interface Vlan557
allocate-acl-partition 1
config-url disk:/CON_test.cfg
prompt hostname context
Cryptochecksum:ae682011fefdab9a0e4eeda02ca49c6e
: end

access-list permit_any extended permit tcp any any
access-list permit_any extended permit udp any any
access-list permit_any extended permit ip any any
access-list permit_any extended permit icmp any any
access-group permit_any in interface inside
access-group permit_any out interface inside
access-group permit_any in interface dmz
access-group permit_any out interface dmz
I don't understand why FWSM denies ICMP:
( I am pinging from Cat6509 SUP 172.16.2.254 ( which is on dmz interface ) the host on inside interface 192.168.100.250:
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-7-111009: User 'enable_15' executed cmd: show logging
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
Any ideas?

Inspect http issue - unable to browse secure site.

Hi,
Current version of the asa firewall is 7.1(2) in which when the inspect http is enabled, while opening secure site like axis bank account or any money market site either blank page display or page can not display error message appear. When i disable this command i am able to access all the secure sites properly. It looks like a bug but in the release not i am not finding any bug related to this issue. Please help me resolve this issue.
Amit M.

Thanks for the reply. When i disable http inspection and when i try to open login page for some of the site then this page cannot be display appear. Also i try MSS might get exceeded and found in the show asp drop tcp mss is not showing. But still i create a class for mass exceed and apply it in globle configuration but it does not work. Latter i have to disable the http inspection and it started working. Now the question is while clicking on login butten it will go from http to https page during this shifting of http to https why does it affect the connection when enable http inspection.
Following is the show asp drop output.
Please check
PIXFIREWALL# sho asp drop
Frame drop:
Invalid IP header                                          10
No route to host                                           13
Reverse-path verify failed                             398846
Flow is denied by configured rule                 107075
Flow denied due to resource limitation          35
Invalid SPI                                                 2
First TCP packet not SYN                           62706
TCP failed 3 way handshake                        1211
TCP RST/FIN out of order                             39
TCP packet SEQ past window                      1
TCP invalid ACK                                          1
TCP packet buffer full                                    209
TCP RST/SYN in window                               14
TCP DUP and has been ACKed                      10411
TCP packet failed PAWS test                         10
IPSEC tunnel is down                                     137
IP option drop                                                551
Expired flow                                                   26
ICMP Inspect seq num not matched                1057
ICMP Error Inspect different embedded conn     60
DNS Inspect id not matched                            4674
IPS Module requested drop                              8
FP L2 rule drop                                               22988
Interface is down                                             8
Flow drop:
Flow terminated by IPS                                     16
NAT failed                                                       13066
Tunnel being brought up or torn down                514
Need to start IKE negotiation                            2136
Inspection failure                                               60

DNS Inspect on FWSM module

Similar Messages

Maybe you are looking for