we have recently added a Application which is doing many DNS Requests.
So there are about 60.000 UDP DNS Flows in our flow-table and ran out of free Ports on our Group.
We have serval Applications
(Http-Proxy, Mailgateway, Ftp-Server)
which want to communicate with the Internet.
We do NAT those servers into one VIP via a source-group. We can not add more VIPs or separate those servers int a different group.
vip address xxxx
add service http-1
add service http-2
add service http-3
add service notes-1
add service mail-1
add service mail-2
add service mail-3
We had to set the flow-timeout higher for HTTP, SMTP and FTP Connections.
The Mail Gateways do many DNS Request for check against SPAM. Each time a Flow-entry is created. (max 800/second)
I've looked into the command
flow-state 53 udp flow-disable nat-enable
which should disable creating flow-entrys for UDP Port 53 (DNS)
But i am not sure, if our source group does work after i disable the flow-state. The docs are not clear in that point.
What do i have to care about if i disable the flow-state for UDP 53?