Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSS: Flow-state / High number of UDP Flows

Hi,

we have recently added a Application which is doing many DNS Requests.

So there are about 60.000 UDP DNS Flows in our flow-table and ran out of free Ports on our Group.

Our Configuration:

We have serval Applications

(Http-Proxy, Mailgateway, Ftp-Server)

which want to communicate with the Internet.

We do NAT those servers into one VIP via a source-group. We can not add more VIPs or separate those servers int a different group.

group nat-outgoing

vip address xxxx

add service http-1

add service http-2

add service http-3

add service notes-1

add service mail-1

add service mail-2

add service mail-3

flow-timeout-multiplier 19

active

We had to set the flow-timeout higher for HTTP, SMTP and FTP Connections.

The Mail Gateways do many DNS Request for check against SPAM. Each time a Flow-entry is created. (max 800/second)

I've looked into the command

flow-state 53 udp flow-disable nat-enable

which should disable creating flow-entrys for UDP Port 53 (DNS)

But i am not sure, if our source group does work after i disable the flow-state. The docs are not clear in that point.

What do i have to care about if i disable the flow-state for UDP 53?

Sven

1 REPLY
Cisco Employee

Re: CSS: Flow-state / High number of UDP Flows

Sven,

the group should work. That's the reason for the 'nat-enable' option.

It seems like the right solution to me.

Gilles.

296
Views
5
Helpful
1
Replies
CreatePlease to create content