SA 540, DNS Server problems behind the SA 540

Unanswered Question
Dec 10th, 2009

We have placed our OS X 10.6 Server running DNS, Mail and Web server on the SA 540's LAN. After doing this we have had quite a few DNS problems, we get the following in the DNS Server log while e.g. trying to reach from a browser on the server: (the browser hangs for about a minute until the following shows up in the log, and then the site loads)

10-Dec-2009 00:17:05.037 host unreachable resolving '': 2001:dc3::35#53

10-Dec-2009 00:17:05.038 host unreachable resolving '': 2001:500:2f::f#53

10-Dec-2009 00:17:05.114 success resolving '' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets

10-Dec-2009 00:17:05.401 success resolving '' (in 'uk'?) after disabling EDNS

10-Dec-2009 00:17:05.404 success resolving '' (in '.'?) after disabling EDNS

What I have been able to find on the net, is that people that have had the same problem changed some DNS cash settings on their router or some firewall setting in their firewall.

"Quote by: MacTroll

Your DNS server is attempting to use DNS-SEC, for validated DNS lookups. This requires a larger UDP packet size, >512 bytes, than your firewall seems to like. It then has to wait to both decide it needs to reduce packet size /and/ to get a negative result on the lookup."


"I had the same problem, after reading this and other posts I looked at my router config and enabled an option to reduce packet size for it's DNS caching, that seems to have resolved this issue for me"


"NOTE: Some older firewall firmware (such as Cisco PIX) will block all DNS packets with EDNS0 enabled.

If needed, you can disable EDNS0 in the Simple DNS Plus Options dialog / DNS / Miscellaneous section, but we highly recommend you get the firewall firmware updated instead."

I have not been able to find anything on the SA 540 that would make me do any similar changes. Any suggestions?

I tried to turn on Logging under Administration->logging but nothing shows up under Status->View Logs after that (btw, do logging work on this thing?)

SA 540 Firmware 1.0.39

BTW, I have tried this with out any firewall rules on the SA 540, with rules allowing TCP/UDP DNS(port 53) and with an allow all rule to the LAN, no changes. The server worked fine when we still had the Linksys RV042 working (dead power supply).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Steven Smith Thu, 12/10/2009 - 11:02

Let me forward this off to development and see what they come back with.

hhwesterg Thu, 12/10/2009 - 12:17

If you check your DNS Server log you might find the same issue as we have. Reloading also work for us, but that is because at that point the EDNS packet size have been throttled or turned off for that domain.

I got a private message from one of the Cisco engineers I called about this, he said that what he could gather so fare, the EDNS is more of a Enterprise feature and not for Small Business..... As I understand the EDNS and DNSSEC is a security feature and therefore I find it very strange that this SA 540 "Security" Appliance don't support it, but actually blocks it.

Selling Mediation, Rating and Billing software to Service Providers and Smart Grid Utilities we need as much security as we can get, not start turning it off to get the network to work.

Anyhow, we have now started testing the Vyatta Open Source router/firewall to se if that's the way to go. You have no idea how much that hurts after having worked with Cisco the last 10 years in my previous position as our company's Partner Manager for the Cisco Channel partner program.

We turned on debug logging on our Windows DNS server and are noticing DNS packet errors.    Is Cisco looking into this issue and has any cases been opened for this?  I believe it may even be affecting outgoing emails that are going through the box.  I am getting strange e-mail kickbaks saying that e-mails are unroutable.     Re-sending emails will usually work.   May be coincidental but it could very well be related to the DNS issues that are going on.

Steven Smith Fri, 12/11/2009 - 09:43

We are currently looking into the DNS problem that is happening on the system.  It has been escalated to development.

Steven Smith Thu, 12/17/2009 - 12:16

Still working on this one.  No updates yet.  Thank you for patience. 

Steven Smith Thu, 12/17/2009 - 14:09

I am lobbying to get this fixed in our next release, but it has not been confirmed yet.

joniniemi Mon, 01/04/2010 - 00:48

I am definitely voting for this (we have SA 520)!

This "feature" is very annoying, the 20-euro firewall we had previously worked a lot better (even though its through-put was a lot lower, at least all the DNS packages got through). Browsing web is a bit like running full speed against brick-wall -- speed is great, but when 10-20 % of the time you get "Server not found" error, it sort of spoils the effect. :-(

razornet68 Mon, 01/04/2010 - 07:04

Is there any timeline on this issue?

It's odd to me that Cisco would put out a 'Small Business' device that can't properly handle DNS (integral to SMB networks) packets... having been a user of Watchguard equipment for years, but becoming frustrated with their licensing model, I decided to give this Cisco device a shot at one of my largest customers main office.... OUCH! They don't want to hear 'just reload the page 5 times and it will eventually display'. This obviously, also affecting any service with requires DNS lookups outside the network.

I spent the better part of the afternoon explaining to the owner of said company why a $600 device doesn't work...

Steven Smith Mon, 01/04/2010 - 08:12

Timeline is before the end of January, but dates are tentative and can change.

Steven Smith Fri, 01/08/2010 - 14:23

Can you get a sniffer of this lookup from the LAN side of the SA500?  If you can as well, get the sniffer at the same time for WAN port.

You can get one of these from the SA500, under Diagnostics, you can sniff packets.

juusotamm Mon, 01/11/2010 - 11:36

I'm using SA520 and had this same problem (Firmware 1.0.39). I disabled the "Block UDP flood" option in Firewall - Attacks settings and the problem disappeared and the network is working much faster now.

In my network I only have 4 macs that are all under my direct supervision so I'm not so worried about UDP Flood attacks from within my network.

Steven Smith Mon, 01/11/2010 - 15:46

If it wouldn't be too much trouble for you, could you get what I was asking for as far as sniffers from both the WAN and LAN side of the box with the block udp flood enabled?  I would appreciate it very much.

ianmarsh1583 Wed, 07/14/2010 - 08:22

I am encountering this same issue with the 1.1.42 firmware on a SA 540 - does anyone know if it has officially been resolved?

jmichalec1 Fri, 08/21/2015 - 10:43


I just finished three weeks troubleshooting similar errors to you and I am employing a Cisco SA540 (FW and it turns out the solution had to do with the UDP flood. This is on by default, but if you have your own internal DNS servers, then I was advised to turn it off because it was causing some sort of collision in DNS since I had my own servers doing the job. I disabled it and we have been sailing faster than ever before since:


Remove tick from "Block UDP Flood"

I have received a few emails since from peers telling me it solved their DNS issues as well.






This Discussion