nslookup timeout problem with SA 520 fw 1.1.42

Unanswered Question
Aug 19th, 2010

Hi,

we have some timeout problems with dns lookups made through our SA 520.

I have searched this discussion fora and found a few related cases:

This case for instance is describing almost the same behaviour with a SA 520w. Then the solution seamed to be to upgrade to fw 1.1.21. Though that release note doesn't mention this to be resolved?

https://supportforums.cisco.com/thread/2018831

However we have had this problem in both 1.1.42 and 1.1.21.

(I see that 1.1.65 is out, but a search in the release notes after "dns" has no relevant hits, so there are noe reason to believa an upgrade will help.)

What happens after some SA520 uptime is that the dns requests starts to time out. (We uses an outside DNS server)

This happens with all clients with multiple OS. (A restart of SA 520 postpones the issue for some time.)

However after manually doing a lookup in the SA 520 webinterface results in (updating the cache?) resolving (slow though) the address.

So clearly there are even in 1.1.42 some issus with this?

Below are some printouts

- Here is one lookup done with a windows client

C:\Users>nslookup www.cisco.com
Server:  dnscache1.dataguard.no
Address:  213.158.233.130

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Forespørsel for å dnscache1.dataguard.no tidsavbrutt

C:\Users>

- At the same time, another request from a linux client:

[email protected]:~$ nslookup www.cisco.com
;; connection timed out; no servers could be reached

[email protected]:~$

- Then I go to Administration | Diagnostics in the SA 520, and executes the same DNS lookup there:

Server:     dnscache1.dataguard.no
Address:    213.158.233.130

Name:       origin-www.cisco.com
Address:    72.163.4.161

- This then results in that all clients are able to resolve the address for some time, though still slow:

Windows client:

C:\Users>nslookup www.cisco.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  213.158.233.130

Ikke-autoritativt svar:
DNS request timed out.
    timeout was 2 seconds.
Navn:    origin-www.cisco.com
Address:  72.163.4.161
Aliases:  www.cisco.com
          www.cisco.com.akadns.net
          geoprod.cisco.com.akadns.net


C:\Users>

Linux client:

[email protected]:~$ nslookup www.cisco.com
Server:         213.158.233.131
Address:        213.158.233.131#53

Non-authoritative answer:
www.cisco.com   canonical name = www.cisco.com.akadns.net.
www.cisco.com.akadns.net        canonical name = geoprod.cisco.com.akadns.net.
geoprod.cisco.com.akadns.net    canonical name = origin-www.cisco.com.
Name:   origin-www.cisco.com
Address: 72.163.4.161

[email protected]:~$

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jwraalsen Fri, 09/10/2010 - 16:52

Hi, and thanks for your answer.

We just experienced some of these timeouts again, and I then generated and downloaded the dbglog as instructed.

In firefox this just hanged forever, but in IE it resulted in a tgz archive. This archive however does not contain an obvious log file to PM to you.


And I couldn't find any way to attach files to the PM system?

Please give me instructions on which logfile you need, and I'll be happy to send it to you.

regards

John

vianet.ca Tue, 11/22/2011 - 05:28

I am experiencing this exact same problem and have been for the last 2 firmware releases.  I've upgraded my 520W to

2.1.71 last week and the problem has actually worsened since the upgrade.  Was there ever a fix worked out for this issue?

vianet.ca Wed, 11/23/2011 - 09:56

I've tried several versions of firmware for the SA520W and factoried my router once just be sure there wasn't some erroneous enabled by accident which could be causing some grief, nothing worked.  However, I think I may have found the problem.  Under Firewall > Attacks > LAN Security Checks; there is an option titled "Block UDP flood" which is enabled by default.  I've disabled this option and things seem to be fine now.

streaves Mon, 11/28/2011 - 11:46

Thanks for the update and special thanks for sharing with the Community.

Stephanie Reaves

Cisco Small Business