Are you using the exact same port on the switch when it does and then does not work? Also, are you using the exact same cables when it does and does not work?
I bring up these questions simply because I've had similar issues, not with UT, but other appliances. How about a straight-through cable ? I know that should not matter nowadays..but you never know...
Just a couple of thoughts, seems like all the other bases have been covered.
I've tried it both ways, using the same and different ports on the switch. I've also cleared the ARP cache and MAC tables after making the switch to ensure that the 6509 doesn't have any leftover entries for whatever reason.Originally Posted by Muggle
This seems to be a higher layer problem. We have no problem with IP connectivity, but DNS names don't resolve. Something's happening at a higher layer to impede that traffic.
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
Type nslookup
server 4.2.2.1
www.google.com
Do you get anything back?
Nope. We tried that. I tried hard setting UT to use that server for DNS, and I also tried setting it using nslookup as you suggested. Either way, no names would resolve even though UT could ping that server. It doesn't make any sense!
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
I need to find a way to continue testing this without disrupting our network. This is on our primary Internet connection, which means we have mobile police/fire units and other emergency vehicles who count on this connection, not to mention all the servers and users behind it that need Internet access, even in off hours. I can't keep bringing that connection down to test. I think I have a free interface on our firewall, though. Maybe I'll connect to that instead and configure it similar to our main inside interface.
Then again, that's not going to work because it's not exactly the same. To replicate our situation, I would have to have real users and at least one DNS server behind UT. This could be a fairly complicated test setup.
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
I really don't believe it's untangle that is causing the problem. To rule that out, you could do a fresh install.
This is a fresh install.I don't think the problem lies solely with Untangle since it works when not connected directly to our firewall. My suspicion is that there is some strange interaction between the two. Someone else suggested one possible problem, but I *think* I've ruled that out.
Surely we're not the first to connect this version of UT directly to a Cisco ASA. If others have done it with no problem then it's just a matter of figuring out what's different between our configuration and theirs.
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
Disable all the "fixup" in the ASA. Fixup can cause problems.
I'll try it, but *why* should I have to do that? If UT is acting as a transparent bridge, that sort of thing shouldn't be necessary. I should be able to drop it inline without any problem. It should be, um, transparent.
It must not be completely transparent for non-blocked traffic, which I thought it would be. Even with a couple of things in the rack, all turned off, it was still blocking DNS. That proves that it is having some sort of effect on the traffic even when it should just be passing it through.
EDIT: I just checked. The fixup command is missing on the ASA. That functionality is either not there, is integrated, or has been moved to another command. I'll have to do more research.
Last edited by neiby; 07-11-2009 at 02:01 PM.
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
The only thing I can find in the ASA config related to DNS is that dns-guard is enabled. That enforces a single reply to any DNS query. Other than that, I don't see anything, and I don't know how that would affect things at all.
Again, if UT is truly transparent for unblocked traffic, it shouldn't matter. Is UT completely transparent to unblocked traffic?
Disclaimer: I may or may not have had enough coffee when I'm posting. Interpret my responses thusly.
Posting Permissions
LinkBack URL
About LinkBacks