Support Center > Search Results > SecureKnowledge Details
DNS packets are 'dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT' on Security Gateway
Symptoms
  • Not possible to connect to network resources by their hostnames through Security Gateway.

  • Kernel debug (fw ctl debug -m fw + drop) shows that DNS packets are dropped:
    fw_log_drop: Packet proto=17 Source_IP:Source_Port -> Dest_IP:53 dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT

    Important: Run debug as follows:
    fw ctl debug 0
    fw ctl debug -m fw + drop
    fw ctl kdebug -f > <filename>

    Ctrl C to stop
    fw ctl debug 0
  • DNS drops occur on the Security Gateway side (not on the Client side).
Cause

Possible reasons:

  • The DNS Server is reusing source ports.

  • In R75.40 and above, Anti-Malware blades (Anti-Bot and Anti-Virus) hold this DNS connection while trying to categorize it (when 'Resource Categorization mode' is set to 'Hold'). The FireWall drops this DNS connection (when a connection cannot be categorized with the cached responses).
    Note: Anti-Malware blades later inject this DNS connection again when the categorization is complete.

  • Application Control blade is enabled with a restrictive policy (blocks any recognized traffic).

Solution
Note: To view this solution you need to Sign In .