Wlc5508 - dns answer packet is blocked

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:auto;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi,
I´ve changed  about 60 access points (1242/1231) from standalone-mode to controller-base – mode. We installed and configured three 5508 controllers with firmware-release AIR-CT5500-K9-7-0-98-0.aes. All of them have the same configuration.
We have different clients (Symbol, Dlog) with 802.1x LEAP and EAP-Fast Authentication in use. After authentication they connect to a web-based service that runs on a server on the campus.
After the change to controller-based we have the following problem:
When the clients wake up from sleep mode they authenticate correctly (Ping to the webserver is o.k.), but the login webpage can not be displayed (searching...). Then I`ve sniffered the uplink of the first controller to see what happend. I find out, that the DNS-Requests from the DNS-Server  do not achieve the wlan-clients and so the client tries to make the DNS-request  several times but without success. This problem occurs on all clients (handhelds, laptops...). To temporarily solve the problem I have to disable/enable the radio-interfaces of the clients.
Then I`ve changed the mode from local to HREAP on one AP and make a local break out at the AP and sniffered the uplink of the HREAP- AP. I´ve repeated the tests serveral times and with HREAP everything is working correctly. The clients get the DNS answer packets and the page is displayed immediately.
So why does the controller block the DNS-Requests after sleep-mode and reauthenticate of the clients ? With release AIR-CT5500-K9-6-0-196-0.aes the same problem occurs.
Thanks
Greeting Flo

Hi Flo,
I'd agree that the two client connections seem to be treated differently between the 4404 and the 5508.
From the 5508 debugs, the lines that got my attention are the following:
*Oct 07 11:36:21.304: 00:15:70:34:2a:b8 Orphan Packet from DS - IP 172.17.172.101
*Oct 07 11:36:22.742: 00:15:70:34:2a:b8 Installing Orphan Pkt IP address 172.17.172.101 for station
*Oct 07 11:36:22.742: 00:15:70:34:2a:b8 Assigning Address 172.17.172.101 to mobile
These seem to be the combination of two known defects.
1. CSCsq46427
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq46427
Even if the symptoms are exactly the same as your case, this should be fixed in 7.0.98.0, until the next one was found.
2. CSCti83830
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti83830
This second one should basically be a regression of CSCsq46427, specific for 5508 platforms.
To confirm whether you may be hitting such a situation, you could test one of the following options:
a) Apply the same workaround as for CSCsq46427.
b) Enable passive client support (only on 7.0):
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wp1391015
Should all of this still not be enough, I would then recommend to open a TAC case if more advanced troubleshooting is needed:
http://tools.cisco.com/ServiceRequestTool/create/
Regards,
Fede
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Similar Messages

  • DNS Inspect packet too long (inspect-dns-pak-too-long)

    All,
                   I have been seeing a large number of drops because of the DNS Inspect packet being too long. Does anyone have any suggestions? I have tried increasing the maximum message length but that does not seem to have any impact. Thanks!
                   Dave

    Julio,
         Thanks for the quick response!  I will try a packet capture.  I did try removing the maximum-length option but I am still seeing drops when I do a "sh asp drop | inc dns" command. DNS Inspect packet too long (inspect-dns-pak-too-long) increments pretty quick.  
         Dave

  • I can't downloamd Things just because I forgot the security questions and I I'm putting the security questions the wrong answers and they blocked me how can I unblock it

    I can't downloamd Things just because I forgot the security questions and I I'm putting the security questions the wrong answers and they blocked me how can I unblock it

    Forgotten Security Questions/Answers
    You need to contact Apple by:
    1 - Use the Express lane and start here:
    https://expresslane.apple.com
    then click More Products and Services>Apple ID>Other Apple ID Topics>Forgotten Apple ID security questions.
    or
    Apple - Support -form iTunes Store - Contact Us
    2 - Call Apple in your country by getting the number from here:
    http://support.apple.com/kb/HE57
    or           
    Apple ID: Contacting Apple for help with Apple ID account security
    3 - Use your rescue email address if you set one up
    Rescue email address and how to reset Apple ID security questions
    For general  information see:
    Apple ID: All about Apple ID security questions

  • HT5312 I had forgotten my security questions answer and was blocked dur to too many attempts. How to reset this

    I had forgotten my security questions answer and was blocked dur to too many attempts. How to reset this?

    You need to contact Apple, either through the link in that article or by phoning them.
    (79008)

  • RRAS disable public DNS installed same Machine

    Hello
    last chance after reading and trying a lot of things.
    A windows Server 2012 R2 with two interfaces one for public and other for internal LAN. With only DNS and Remote Services Role installed. When RRAS routing with NAT is active external queries to DNS are blocked; just really no way how to fix it.
    For completeness I attach all technical information:
    NIC 1: public ISP IP, with no gateway and no DNS configured, Only TCPIP/v4 enabled no other services like windows client services, shared and so on.
    NIC 2: internal Lan , with ip 10.0.0.1 mask 255.255.255.0 no gateway no DNS configured. As before only tcpIP v4 configured .
    RRAS configured following the wizard selecting NIC1 as internet connected and letting all the rest as "next->next".
    firewall is disabled to avoid any interference.
    Dns is configured with one zone for testing, just listening on the NIC 1 interface and disabled forwarding and recursive. The rest of DNS configuration is "Next Next".
    Also I check that RRAS is not dropping packets executing: netsh ip routing show filter.
    Please any help is much appreciated.

    Hi,
    You said that all these tests has been checked. So, what's the result?
    Is UDP port 53 blocked? What does nslookup say?
    Also, please perform a network capture on the server.
    If the DNS query is received and the server doesn't reply, please check if there is any query logged in the DNS debug log. If there is nothing logged, it means that the DNS server doesn't receive the query, please check if the DNS packet is blocked by something.
    If the DNS query is received and the server replies, please check the network setting.
    Besides, due to both of the two NICs don't have a gateway, have you added the proper static routes?
    Best Regards.
    Steven Lee
    TechNet Community Support

  • 10.6.4 Server on Mini Server - DNS Problems - Slow, EDNS log messages

    Like a few of other people here, I'm having a hard time getting DNS to work smoothly on my new Mac Mini Server, now running Snow Leopard Server 10.6.4. I'd been running Leopard Server on a previous machine with much smoother DNS (though the Server Admin config didn't work, that's another story).
    Resolution takes a very, very long time and eventually I'll get messages in the log saying 'success resolving 'xxxxxx' after reducing the advertised EDNS UDP packet size to 512 octets'.
    I've searched everywhere and there seem to be two reasons why this is happening:
    1. The DNS server is stopping responding on TCP, and is only responding on UDP;
    2. Some other portion of my network (maybe the router) doesn't like UDP packets bigger than 512 octets.
    For the first - is there any way I can fix this within OS X Server? There is no problem in the network since the router itself (running Linux) can resolve via TCP (using the forwarder addresses that are set up in my OS X Server config) instantly, and any clients that I switch from using the internal OS X Server (for DNS resolution) to use an external resolver work immediately too. I'm not sure why the daemon on OS X Server stops listening on TCP port 53 and only accepts UDP - and then only forwards on queries via EDNS via UDP - which is where I seem to have a problem.
    Secondly - can I disable EDNS somehow and just do plain old DNS?
    Some of the threads point to routers that don't like UDP packets over 512 octets, some point to firewalls and adaptive code that closes off ports when an app tries too many times, etc. I've opened ALL firewalls - turned off the OS X Server firewall, turned off the SPI firewall in the router (it's a Netgear DG834 with the DGTeam custom firmware), and I'm as far as I can go without buying a new router.
    If the only answer is 'OS X Server needs a better router' then I'd appreciate what router I should buy - this situation is becoming untenable since the DNS resolution performance of my entire network is unpredictable, and I don't want to have to reboot the Server on a regular basis when there are loads of clients and their home directories sitting on it, since OS X Client gets twitchy when your home folder vanishes off the network…
    I'm happy hacking config files - but can't seem to see anything in the DNS config that would allow me to either turn off EDNS or restrict the packet size to 512 octets (there's a comment in the config file that the directive is ignored for this one, fat lot of help that is). As to why the server itself stops listening to TCP port 53…. I have no idea and I can't find a solution with a search.
    So in the absence of solutions - can anyone help me with a workaround? The only 'answered' question in this domain was 'answered' with the OP finding a workaround in their router firmware that changed the DNS cache packet size. I can't find anything like this in my router config, so I can't use this workaround. Are there any workarounds I can apply to my OS X Server, that don't rely on my router?
    Yes, I know the router isn't that special, but it's a small business network. Advice on an upgrade would be welcome but doesn't solve the problem for me now. I'm based in the UK, if anyone also in the UK can recommend a suitable small-business NAT router I can use then I'd find that helpful, but I don't want to be told to purchase an enterprise-class router, turn off NAT and be recommended a store in the USA as it won't be that helpful
    Ideally there'd be a way to tweak the DNS server on OS X to not bother with EDNS, or to stick to 512 octet sized packets (can I do this globally for all UDP from my server?), or to keep working on TCP…
    Anyone know? The machine hosts client homes internally and serves mail, web and DNS externally. It's not a high-traffic system and it sits at the end of a business-grade ADSL line. I'm not being DoS'd - this behaviour seems random as to when it strikes. I try to restart the named daemon on the server when it strikes, but I need to be on the network to make that happen….
    Solutions appear to be out, but I'd really appreciate a workaround. Many thanks in advance!

    Hi Rob,
    Not much of a MAC person myself however this support matrix might help:
    http://www.adobe.com/products/coldfusion/coldfusion7/pdfs/cfmx7_systemsupportmatrix.pdf
    Seeing your getting a few Java errors perhaps the JVM in CF7 1.4.2_09 is too early for MAC OS 10.6.4?
    HTH, Carl.

  • Default class map is dropping all Packets

    Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
    The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
    Guest VLAN has access to 2 IP's in Data for printing.
    Cisco871#sh run
    Building configuration...
    Current configuration : 8005 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service sequence-numbers
    hostname Cisco871
    boot-start-marker
    boot-end-marker
    logging buffered 4096
    no logging console
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    clock summer-time PST recurring
    crypto pki trustpoint TP-self-signed-4004039535
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4004039535
    revocation-check none
    rsakeypair TP-self-signed-4004039535
    crypto pki certificate chain TP-self-signed-4004039535
    certificate self-signed 01
      3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
      32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
      33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
      B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
      147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
      41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
      F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
      551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
      03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
      0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
      092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
      D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
      8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
      E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
      3543BD68 A4B2692D 05CBF6DC C93C8142
                quit
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.0.0.1 10.0.0.5
    ip dhcp excluded-address 172.16.15.1 172.16.15.5
    ip dhcp excluded-address 172.16.15.14
    ip dhcp excluded-address 172.16.17.1 172.16.17.5
    ip dhcp excluded-address 192.168.19.1 192.168.19.5
    ip dhcp pool MyNetNative
       import all
       network 10.0.0.0 255.255.255.248
       default-router 10.0.0.1
       domain-name MyNetNet.org
       dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
       lease 0 2
    ip dhcp pool MyNetData
       import all
       network 172.16.15.0 255.255.255.240
       dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
       default-router 172.16.15.1
       domain-name MyDomain.org
    ip dhcp pool MyNetVoice
       import all
       network 172.16.17.0 255.255.255.240
       dns-server 172.16.15.14
       default-router 172.16.17.1
       domain-name MyDomain.org
    ip dhcp pool MyNetGuest
       import all
       network 192.168.19.0 255.255.255.240
       default-router 192.168.19.1
       domain-name MyNetGuest.org
       dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
    ip domain name MyDomain.org
    ip name-server 172.16.15.14
    ip name-server 4.2.2.4
    ip inspect log drop-pkt
    multilink bundle-name authenticated
    parameter-map type inspect TCP_PARAM
    parameter-map type inspect global
    username MyAdmin privilege 15 secret 5 MyPassword
    archive
    log config
      hidekeys
    class-map type inspect match-all MyNetGuest-access-list
    match access-group 110
    class-map type inspect match-any Base-protocols
    match protocol http
    match protocol https
    match protocol ftp
    match protocol ssh
    match protocol dns
    match protocol ntp
    match protocol ica
    match protocol pptp
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all MyNetGuest-Class
    match class-map MyNetGuest-access-list
    match class-map Base-protocols
    class-map type inspect match-all MyNetNet-access-list
    match access-group 100
    class-map type inspect match-any Voice-protocols
    match protocol h323
    match protocol skinny
    match protocol sip
    class-map type inspect match-any Extended-protocols
    match protocol pop3
    match protocol pop3s
    match protocol imap
    match protocol imaps
    match protocol smtp
    class-map type inspect match-all MyNetNet-Class
    match class-map MyNetNet-access-list
    match class-map Voice-protocols
    match class-map Extended-protocols
    match class-map Base-protocols
    policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
    class type inspect MyNetGuest-access-list
      inspect
    class class-default
    policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetGuest-Class
      inspect
    class class-default
    policy-map type inspect MyNetNet-zone
    class class-default
      pass
    zone security MyNetNet-zone
    zone security MyNetGuest-zone
    zone security MyNetWAN-zone
    zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
    service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
    zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
    service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
    service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
    zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
    service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
    interface FastEthernet0
    description Cisco-2849-Switch
    switchport mode trunk
    speed 100
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    description SBS-Server
    switchport access vlan 10
    spanning-tree portfast
    interface FastEthernet4
    description WAN
    no ip address
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    zone-member security MyNetWAN-zone
    ip tcp adjust-mss 1452
    duplex auto
    speed auto
    no cdp enable
    interface Vlan1
    description MyNetNative
    ip address 10.0.0.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    ip tcp adjust-mss 1452
    interface Vlan10
    description MyNetData
    ip address 172.16.15.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    interface Vlan20
    description MyNetVoice
    ip address 172.16.17.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetNet-zone
    interface Vlan69
    description MyNetGuest
    ip address 192.168.19.1 255.255.255.240
    ip nat inside
    ip virtual-reassembly
    zone-member security MyNetGuest-zone
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    access-list 100 remark MyNetnet
    access-list 100 permit ip 10.0.0.0 0.0.0.7 any
    access-list 100 permit ip 172.16.15.0 0.0.0.31 any
    access-list 100 permit ip 172.16.17.0 0.0.0.15 any
    access-list 110 remark MyNetGuest
    access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
    access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
    access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
    access-list 110 permit ip 192.168.19.0 0.0.0.15 any
    control-plane
    banner login ^CC
    You know if you should be here or not.
             if not please leave
    NOW
    ^C
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    scheduler max-task-time 5000
    ntp server 172.16.15.14
    webvpn cef
    end
    Cisco871#sh zone security
    zone self
      Description: System defined zone
    zone MyNetNet-zone
      Member Interfaces:
        Vlan1
        Vlan10
        Vlan20
    zone MyNetGuest-zone
      Member Interfaces:
        Vlan69
    zone MyNetWAN-zone
      Member Interfaces:
        FastEthernet4
    Cisco871#sh zone-pair security
    Zone-pair name MyNetNet->MyNetGuest
        Source-Zone MyNetNet-zone  Destination-Zone MyNetGuest-zone
        service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
    Zone-pair name MyNetNet->MyNetWAN
        Source-Zone MyNetNet-zone  Destination-Zone MyNetWAN-zone
        service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
    Zone-pair name MyNetGuest->MyNetWAN
        Source-Zone MyNetGuest-zone  Destination-Zone MyNetWAN-zone
        service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
    Zone-pair name MyNetGuest->MyNetNet
        Source-Zone MyNetGuest-zone  Destination-Zone MyNetNet-zone
        service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
    Cisco871#sh int faste4
    FastEthernet4 is up, line protocol is up
      Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
      Description: WAN
      Internet address is 10.38.177.98/25
      MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation ARPA, loopback not set
      Keepalive set (10 sec)
      Full-duplex, 100Mb/s, 100BaseTX/FX
      ARP type: ARPA, ARP Timeout 04:00:00
      Last input 00:00:00, output 00:34:50, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 2000 bits/sec, 3 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         593096 packets input, 73090812 bytes
         Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog
         0 input packets with dribble condition detected
         9940 packets output, 1016025 bytes, 0 underruns
         0 output errors, 0 collisions, 3 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier
         0 output buffer failures, 0 output buffers swapped out
    Zone-pair: MyNetNet->MyNetWAN
      Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
        Class-map: MyNetNet-Class (match-all)
          Match: class-map match-all MyNetNet-access-list
            Match: access-group 100
          Match: class-map match-any Voice-protocols
            Match: protocol h323
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol skinny
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol sip
              0 packets, 0 bytes
              30 second rate 0 bps
          Match: class-map match-any Extended-protocols
            Match: protocol pop3
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pop3s
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol imap
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol imaps
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol smtp
              0 packets, 0 bytes
              30 second rate 0 bps
          Match: class-map match-any Base-protocols
            Match: protocol http
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol https
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ftp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ssh
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol dns
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ntp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol ica
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol pptp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol icmp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol tcp
              0 packets, 0 bytes
              30 second rate 0 bps
            Match: protocol udp
              0 packets, 0 bytes
              30 second rate 0 bps
          Inspect
            Session creations since subsystem startup or last reset 0
            Current session counts (estab/half-open/terminating) [0:0:0]
            Maxever session counts (estab/half-open/terminating) [0:0:0]
            Last session created never
            Last statistic reset never
            Last session creation rate 0
            Maxever session creation rate 0
            Last half-open session total 0
        Class-map: class-default (match-any)
          Match: any
          Drop (default action)
            5196 packets, 256211 bytes
    Cisco871#sh log
    Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                    0 flushes, 0 overruns, xml disabled, filtering disabled)
    No Active Message Discriminator.
    No Inactive Message Discriminator.
        Console logging: disabled
        Monitor logging: level debugging, 0 messages logged, xml disabled,
                         filtering disabled
        Buffer logging:  level debugging, 1745 messages logged, xml disabled,
                         filtering disabled
        Logging Exception size (4096 bytes)
        Count and timestamp logging messages: disabled
        Persistent logging: disabled
    No active filter modules.
    ESM: 0 messages dropped
        Trap logging: level informational, 1785 message lines logged
    Log Buffer (4096 bytes):
    001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to  policy match failure
    001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to  policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
    001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to  policy match failure
    001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to  policy match failure

    Hello Charlie,
    I would recomend you to investigate a little bit more about how the ZBFW features works
    Now I am going to help you on this one at least, then I will give you a few links you could use to study
    We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
    First the zone-pair
    zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
    service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    so lets go policy-map
    policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
    class type inspect MyNetNet-Class
      inspect
    class class-default
    Finally to the class map
    class-map type inspect match-all MyNetNet-Class
    match class-map MyNetNet-access-list
    match class-map Voice-protocols
    match class-map Extended-protocols
    match class-map Base-protocols
    That keyword MATCH-ALL is the one causing the issues!!
    Why?
    Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
    So here are the links
    http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
    https://supportforums.cisco.com/thread/2138873
    http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
    You have some work to do
    Please remember to rate all the helpful posts
    Julio
    CCSP

  • Forum FAQ: How to troubleshoot DNS Event 5504 error

    Symptom
    A DNS server may frequently record the Event ID 5504 error in the event log:
    Event Type: Warning
    Event Source: DNS
    Event Category: None
    Event ID: 5504
    User: N/A
    Computer: Computer_name
    Description: The DNS server encountered an invalid domain name in a packet from IP_Address .
    The packet is rejected.
    Cause
    Event ID 5504 is logged when a DNS Server receives a packet containing an invalid domain name. There are many possible causes.
    1.      The DNS cache becomes corrupt with invalid domain names.
    2.      The DNS Server receives a spoofed response.
    3.      The DNS response contains domain names with characters other than 0-9, a-z, A-Z, . (Period), and - (Hyphen).
    4.      The DNS Server has been configured with invalid forwarders
    5.      The network the DNS server resides on is busy or not working properly.
    Resolution
    The following are general troubleshooting steps for this issue:
    1. Secure the DNS cache against pollution.
    a)     Open DNS Management snap-in and then open the Properties dialog for the DNS server.
    b)     Click the Advanced tab, check the Secure Cache against Pollution option, and then click OK.
    c)      After enabling this setting, right-click the applicable DNS server and select Clear Cache, then restart the DNS Server service.
    2. Verify that the forwarder list on the DNS server is pointing to recursive DNS servers.  To view the forwarders, please perform the following steps:
    a)     Open DNS Management snap-in and then open the Properties dialog for the DNS server.
    b)     Click the Forwarders tab, you can view the existing forwarders.
    3. Some third party DNS servers may be using records of a type that aren’t supported by Windows DNS servers, such as the DNAME resource record.
    920162     Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;920162
    4. Another example where DNS will produce the Event ID 5504 error is when Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.
    dnscmd /Config /EnableEDnsProbes 0
    More Information
    Troubleshooting DNS
    http://technet2.microsoft.com/WindowsServer/en/library/de2aa69d-1155-4dc9-a651-e836
    2f6a81c81033.mspx?mfr=true
    DNS Best Practices
    http://technet2.microsoft.com/WindowsServer/en/library/59d7a747-48dc-42cc-8986-c73d
    b47398a21033.mspx?mfr=true
    Applies to
    Windows Server® 2003 operating system
    Windows Server® 2008 operating system
    Windows Server® 2008 R2 operating system

    I'm not sure whether this is the appropriate place to add this but - a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address)
    being responded to with an A record (IPv4 address).
    DNS debug logging (Windows 2008 R2 SP1) captured requests to
    192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “The DNS server encountered an invalid domain name
    in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet.”
    The domain name in the response was the same as that in the query, and looks OK.
    The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).
    http://www.rfc-editor.org/rfc/rfc4074.txt “Common
    Misbehavior Against DNS Queries for IPv6 Addresses” says, under “Expected Behavior”:
       Suppose that an authoritative server has an A RR but has no AAAA RR
       for a host name.  Then, the server should return a response to a
       query for an AAAA RR of the name with the response code (RCODE) being
       0 (indicating no error) and with an empty answer section (see
       Sections 4.3.2 and 6.2.4 of [1]).  Such a response indicates that
       there is at least one RR of a different type than AAAA for the
       queried name, and the stub resolver can then look for A RRs.

  • Block access to website!

    I'm trying to block access to some websites from the server in our office, is that possible?!, i mean which service under Mac OS 10.5 can do this job!
    thank you

    It depends on your network architecture and you haven't provided sufficient information to answer the question directly. It isn't even clear if you mean you want to stop this machine from accessing the sites, or whether you want to use this machine to block access from other clients on the network.
    I'll assume the latter for now, but please feel free to elaborate.
    In general, your server can only block traffic if it's running a service that your clients depend on.
    If your server is a file server, or a directory server, or even a web server, then you're out of luck because the clients don't depend on this server to get to the sites you want to block.
    On the other hand, if the server is running as a gateway then you can block it in the firewall.
    If the server is running as a DNS server you could block the traffic in DNS (return a bogus IP address for the sites you want to block.
    If the server is running as a proxy you could configure the proxy server rules to block the sites.
    So, as you can see, there are many ways it could work depending on your setup. Even if you're not setup appropriately right now, you could still do this if you're willing to reconfigure your network - for example if you opt to take the proxy server route you'd need to configure the clients to use the server as a proxy. Likewise, if you take the DNS route you'll need to configure the clients to use this server for DNS.

  • Direct Access client DNS Registration q.

    Hi All,
    We have Direct Access installed, configured and mostly working on Windows 2012 R2 server supporting WIN 8.1 clients (only).
    All internal resources are accessible and have good name resolution, etc.
    However, I now have to enable "manage out" functionality. SCCM based Remote Assistance etc.
    There are various guides and I think manage out is working correctly. There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
    I have enable "secure only" DNS registration by Group Policy.
    We use split tunneling for clients.
    The Direct Access server is behind a NAT firewall. (CISCO) So the only effective transition tech is IP-HTTPS.
    Many thanks for any assistance in pointing me in the right direction.

    Hi,
    >>There is a major sticking point in that the clients are attempted to register DNS names on the local DHCP server (home/office) router and registration never reaches corporate DNS servers.
    Did you deploy the IPv6 in your corpnet? If no, it's normal.
    If we use the IPv4 in the corpnet, the NAT64 and DNS64 will be enabled on the DirectAccess server. When the DirectAccess client sends the DNS update packet, according to the NRPT, the packet will be sent to the DirectAccess server. DirectAccess
    server will on behalf of the client to register the AAAA record.
    Best Regards.
    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Outgoing port scan to find blocked (by ISP)/open ports

    Hi,
    How can I do a port scan (network ports, where web pages/applications use port number 80 for example)? I would like to find out if my ISP are blocking ports -- get some hard data/facts. I've tried using an online port scanner (one that operates from a web page/server) and according to it, all my ports are blocked -- but I now realise that's incoming (to me) where I didn't initialise the communication. So I suppose to find out what I want I need to initialise the communication -- outgoing (from me) communication. How can I do this? Any software / utilities available anywhere? I tried the "port scan" in Network Utility but this never reported anything. Maybe that will do what I want but I didn't have it set up properly possibly?
    Any suggestions / ideas much apprecaited.
    Cheers,
    John.

    Hi,
    I'm not sure what you're asking.
    What I'm asking about is in connection with the action that some ISP's take described as "traffic shaping". I know they are filtering/blocking because all P2P applications stop working for a period of time each day while email and web pages continue to work fine for example. I'm thinking of complaining to varous organisations because I have it in writing from the ISP they don't do this. They do, but I just want a bit more factual data first, before spending time and money making official complaints.
    ISP's rarely block outbound packets
    Well there's traffic shaping of some sort happening. I've found out that all incoming initialted outside packets are blocked but things still work fine so I assumed it must be outgoing which are being blocked.
    If you can't make an outbound connection, it's usually the return (ACK) packet that gets blocked.
    Right, I see. In that case another cooperating machine is needed to find out what I'm after I suppose.
    However, most firewalls have a rule that allows packets through that are part of existing connections. That allows you to browse the internet no matter what source port your browser uses.
    This isn't about a protection, it's about an ISP stopping/filtering certain uses (ports) via their connections because they don't like it -- too much band width use probably.
    By far the best packet sniffer is Wireshark (formally Ethereal) for display of the capture.
    From what's said above, a packet sniffer isn't going to be enough right? There needs to be two machines, me sending to another on various ports and it replying on the same port and both machines keeping a log of what's been sent and received, then a comparison made to see what made it and what didn't --- I guess. I wonder if there is such a service, piece of software, whatever, out there?
     Is your computer behind a router in your home? Of course that would include Airport. If so, that is more likely the culprit than your ISP.
    Yes an AirPort base station. Say "that is more likely the culprit than your ISP" again after visiting http://www.reviewcentre.com/review210703.html and searching the text for "traffic shaping" a few times! I'm pretty sure I've got the base station set up fine. And I think it's more likely my ISP (the one reviewed at that link) is the culpret. P2P software stops working, well it varies, but it reliably stops during "peak hours". It's the ISP for sure.
    I don't know any ISP that blocks all ports.
    Well, for incoming, according to the http://www.websecurity.mobi/network-security-audit/178-no-open-ports-my-machine- obviously-rediculous.html (which is me expressing surprise about all incoming ports being blocked) my ISP does. Apparently there is quite a difference between incoming and outgoing. Stops people using their machine as any kind of server (according to that link). One thing I do notice is that doing:
    sudo tcpdump -v -x -s 128
    on the command line while I'm not doing anything on the internet results in nothing -- complete silence as it were. On the dial up connection I've just left doing that command there was stuff coming in all the time -- who knows what, but the complete silence on my new broadband connection would back up the idea that all incoming ports are blocked. I could be wrong of course.
    "nmap" is probably the best portscanner available but as you discovered, OS X has one builtin that you can access through the Network Utility.
    Oh right I didn't know they were the same thing. I found that the port scan in NU didn't do anything. I left it for hours. There was an IP address which I left as it had filled it in itself. Maybe I should have changed that? How can I get the right address, or does it usually fill it in correctly itself?
    What actually does a port scanner like that one do? Send something out? To what? And how does it know if it got there?
    It seems to me to get what I need there needs to be first a suitable piece of software, second another computer running the software ready for my computer to talk to and to communicate multiple times and see what happens. My point is it's not just a piece of software that's needed it's also another cooperating computer elsewhere that needed? Otherwise what's the testing software going to talk to to see if the channel is working?
    I'll look into the Port Scan in NU again, see if I can get some actual results from it this time. On a broadband connection I left it for about, I don't know, 3 hours maybe, got nothing.
    Cheers,
    John

  • JNDI/DNS Provider - How to get TTL & other header info ?

    Hi,
    I am using JNDI/DNS Provider for accessing DNS Records from DNS Server. After the DNS lookup, the Attribute collection received from JNDI/DNS Provider does not contain TTL information for SRV records. Further investigation shows that JNDI/DNS Provider only exposes "RData" section of DNS UDP Packet Response through Attributes & its values. The TTL comes in the "Header" section of DNS UDP Packet Response and not included in the Attributes & its values.
    When I dig into the source code of JNDI/DNS Provider, it is clear that TTL value is stored in the ResourceRecord class. But there are no get methods for it. Even worse, there does not seem to be ways of getting the collection of ResourceRecord objects!!. Most of the classes / functions in JNDI/DNS provider are either package scoped OR private scoped.
    Do anybody know how to get the TTL for SRV records ?. Or, is it not possible at all ? (That means should I move to other DNS libraries like DnsJava ?)
    Thanks,
    Ram.

    Thanks v.r. for your quick reply. In fact we are using the TTL SOA for the time being. But when it is overridden in specific SRV / A / AAAA records, we are not able to get that value. Any idea how to get these overridden record specific TTL values ?
    Thanks,
    Ram.

  • I keep getting calls from a block caller id and it's some dude speaking arabian what do i do? How do i stop this?

    I keep getting calls from a block caller id and it's some dude speaking arabian what do i do? How do i stop this?

    Stop answering calls with blocked numbers. If it's someone who really wants to talk to you, they'll leave you a message and you can call them back.

  • NEED HELP BLOCKING A CALL

    I keep getting a call from a 9 digit number, call doesn't come through but phone rings until I answer, can't block it because it's only 9 numbers, please help ! They are waking me, annoying me, getting very frustrated, can't get in touch w/Verizon people !

        That sounds very annoying lluscher! Please try tapping the i in the circle on the right side of that number from your call log, then scroll down and tap block number. This has worked for me with any number. I have the latest iOS version 7.1, if you don't have this version please update your software and then try the above steps. Keep us posted.
    AntonioC_VZW
    Follow us on Twitter at www.twitter.com/VZWSupport

  • Load balancing 2 DNS server

    how to configure the CSS to load balance 2 DNS server ?

    first configure the services like this :
    service dns1
    ip address x.x.x.x
    active
    service dns2
    ip address x.x.x.x
    active
    Then configure the content rule
    owner mycompany
    content dns
    vip address x.x.x.x
    add service dns1
    add service dns2
    active
    Then we need to setup something for the dns answer
    group dns
    vip address x.x.x.x !!!!! same as for the content rule
    add service dns1
    add service dns2
    portmap disable
    The portmap disable requires software 5.03(33) or above.
    The command is also in 5.01
    http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note09186a00800ba0c6.html

Maybe you are looking for

  • How to block users for a particular type of transaction?

    Hi SAP Experts, wishes for the day. TDS related entries should be passed from the accounting side but the tds entry has passed from MM side at my client place.and now they want to restrict the tds kind of entries to the MM users.How can i block the m

  • Groupwise 8.0.2 error and crashing

    Hello all, I'm having a problem with groupwise and I can use some advice. A user of mine is having an issue when she composes new mail she switches from plain text view to HTML view and GW either crashes or it freezes, and a error message appears. I

  • Deleation Of Bank Statment

    HI GURUS, *I want to know that can i delete the Bank statment which has already Posted ?* If yes ! How can i do this ? Please guide me what procedure should i take ? Answer will be appricated !!!!! Arun Mulgund

  • Make title area in mx:Panel draggable??

    Hi, I want to be able to drag a panel anywhere on my screen just by holding the mouse over the title area in the <mx:Panel> Similar to how in Windows you can drag windows using the title bar. How can I do this in Flex? Again, just the title area of t

  • General protection fault with alt-tabbin​g and pop ups

    Hi, This is probably a case of me doing something I shouldn't, but I figured out a while ago that I could get resizable modal pop ups by doing something like this: SetPanelAttribute(panelHandle2, ATTR_SIZABLE, 0); InstallPopup(panelHandle2); SetPanel