Application-Layer Gateway Breaking A Transfer Zone - Tesrex

What is Application-Layer Gateway

Application-Layer Gateway (ALG) is a software component that manages specific application protocols such as SIP (Session Initiation Protocol) and FTP (File Transfer Protocol). An ALG acts an intermediary between the Internet and an application server that can understand the application protocol. The ALG appears as the end point server and controls whether to allow or deny traffic to the application server. It does this by intercepting and analysing the specified traffic, allocating resources, and defining dynamic policies to allow traffic to pass through the gateway.

The Problem

I was tasked with performing a DNS Transfer Zone through a Cisco SOHO (877) router. However, I ran into problem during my work. When it triggered I received an RST packet from the router. Initially I thought that it must have come from the server, but upon reviewing the packet capture I observed that the TTL was 254, therefore it must have come from the router itself.

The Solution

From my analysis of the problem it became clear that it was caused by ALG. I realised that ALG cannot handle message sizes over a certain threshold, therefore the only way for me to solve this problem and complete my work was to disable the ALG.

How you disable ALG:

rtr(config)#no ip nat service alg tcp dns

Below you can see the output that I received before I made the fix.

rtr#sh ver | i Vers
Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)

[root@server ~]# dig -y @92.28.16.27 cocheno.com -t axfr;; communications error to 92.28.16.27#53: connection reset

Looking at the NAT Debug…..

Jan 11 23:15:10.146: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.150: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.150:  NAT-L4F: Policy check successful
Jan 11 23:15:10.150:  NAT-L4F: received fd1: 1073742971 and
tcp flags = 0x2, payload_len = 0
Jan 11 23:15:10.294:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.294: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.294:  NAT-L4F: received fd2: 1073742972 and
tcp flags = 0x12,payload_len = 0
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298:  NAT-L4F: Received final ACK from fd1 : 1073742971 and
tcp flags = 0x10
Jan 11 23:15:10.298:  NAT-L4F:Transistioning to proxy: rc 0 error 0
Jan 11 23:15:10.298:  NAT-L4F: Successfully proxied this flow
Jan 11 23:15:10.298:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.298: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.298: NAT-ALG: lookup=0 l7_bytes_recd=125 appl_type=12
Jan 11 23:15:10.298: NAT-ALG: DNS l7_msg_size = 125
Jan 11 23:15:10.298: NAT-ALG: after state machine:
Jan 11 23:15:10.298: NAT-ALG: remaining_hdr_sz=0
Jan 11 23:15:10.298: NAT-ALG: remaining_payl_sz=0
Jan 11 23:15:10.298: NAT-ALG: tcp_alg_state=0
Jan 11 23:15:10.298: NAT-ALG: complete_msg_len=125
Jan 11 23:15:10.298:  l4f_send returns 125 bytes
Jan 11 23:15:10.298:  Complete buffer written to proxy
Jan 11 23:15:10.298:  NAT-L4F:NO DATA to read
Jan 11 23:15:10.446:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.446: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454:  NAT-L4F:setting ALG_NEEDED flag in subblock
Jan 11 23:15:10.454: NAT-FRAG: tcpmss value :0
Jan 11 23:15:10.454: NAT-ALG: lookup=1 l7_bytes_recd=1452 appl_type=12
Jan 11 23:15:10.454: NAT-ALG: DNS l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-ALG: Unsupported l7_msg_size = 31751
Jan 11 23:15:10.454: NAT-L4F:CSM isn’t able to accept the pkt
Jan 11 23:15:10.458:  NAT-L4F:read RST, aborting
Jan 11 23:15:10.458:  NAT-L4F:setting ALG_NEEDED flag in subblock