11-05-2003 03:17 AM - edited 03-09-2019 05:24 AM
Hi all,
CSCdy52910 Bug Details
Headline DNS query failing with PAT under load
Product pix Model
Component fw Duplicate of
Severity 4 Status Verified
First Found-in Version 6.2(1) First Fixed-in Version 6.3(2), 6.3(1.105) Version help
Release Notes With multiple recursive DNS servers on the inside that source DNS query from fix port,
such as 53, DNS query can sporadically failed under high query rate.
The workaround is to configure static for the DNS server.
Could someone please expand on what a DNS query failure exactly mean??? time out, packets coming back denied, packet gets corrupted... ????
Thanks,
Ouajih
11-05-2003 07:28 AM
Ouajih,
The person who filed this DDTS saw that the PIX would drop the DNS responses for a period of time. The problem stems from the fact that the DNS server was sending the packets from a fixed port such as 53. When the PIX tries to PAT these packets, we use the range from 1-512. If the DNS server responds to more than 512 queries in a 30 second period, the PAT xalte pool is exhausted and we have to wait for them to clear. This defect has been fixed in 6.3(3) code. Hope this helps.
Scott
11-05-2003 09:22 AM
Hi Scott,
Thanks for your answer.
I am not really sure if I understood exactly what you said?
By packet using the range from 1-512, do you mean that PAT will use 1-512 every 30 seconds with every (IPsource/protocol/sourceport)?
For an xlate count of less than 512 for a one ip address, issue shouldnt occur then?
When it drops the DNS packet is it in silent mode (not logged)? Would it drop packets randomly?
Thanks in advance,
Ouajih
11-05-2003 10:07 AM
Let's try this:
Source port of packet is 0-512 = PIX will modify the packet to have a source port of 0-512
Source port of packet is 513-1024 = PIX will modify the packet to have a source port of 513-1024
Source port of packet is >1025 = PIX will modify the packet to have a source port of >1025
For an xlate count of less than 512 for a one ip address, issue shouldnt occur then?
Correct. This issue is only seen when we have more that 512 xlates (assuming a source port of 53 in this case) that need to be PAT'ed. Most applications are going to use a random source port above 1025. As you can see from the chart above, there are a number of ports the PIX can use in these cases. The problem nly occurs when the application uses a source port below 1024 and generates a lot of packets at one time. Make sense?
When it drops the DNS packet is it in silent mode (not logged)? Would it drop packets randomly?
Nope, you will see the following syslog message referring to the fact that we were unable to create the translation:
%PIX-3-202001: Out of address translation slots!
The PIX will drop and log this message for all new packets that need to be PAT'ed until some of the source ports open up.
Hope this helps.
Scott
11-05-2003 11:08 PM
Hi Scott,
Thanks a lot. it was very helpfull.
Best regards,
Ouajih
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: