Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bug CSCdy52910

Hi all,

CSCdy52910 Bug Details

Headline DNS query failing with PAT under load

Product pix Model

Component fw Duplicate of

Severity 4 Status Verified

First Found-in Version 6.2(1) First Fixed-in Version 6.3(2), 6.3(1.105) Version help

Release Notes With multiple recursive DNS servers on the inside that source DNS query from fix port,

such as 53, DNS query can sporadically failed under high query rate.

The workaround is to configure static for the DNS server.

Could someone please expand on what a DNS query failure exactly mean??? time out, packets coming back denied, packet gets corrupted... ????

Thanks,

Ouajih

4 REPLIES

Re: Bug CSCdy52910

Ouajih,

The person who filed this DDTS saw that the PIX would drop the DNS responses for a period of time. The problem stems from the fact that the DNS server was sending the packets from a fixed port such as 53. When the PIX tries to PAT these packets, we use the range from 1-512. If the DNS server responds to more than 512 queries in a 30 second period, the PAT xalte pool is exhausted and we have to wait for them to clear. This defect has been fixed in 6.3(3) code. Hope this helps.

Scott

New Member

Re: Bug CSCdy52910

Hi Scott,

Thanks for your answer.

I am not really sure if I understood exactly what you said?

By packet using the range from 1-512, do you mean that PAT will use 1-512 every 30 seconds with every (IPsource/protocol/sourceport)?

For an xlate count of less than 512 for a one ip address, issue shouldn’t occur then?

When it drops the DNS packet is it in silent mode (not logged)? Would it drop packets randomly?

Thanks in advance,

Ouajih

Re: Bug CSCdy52910

Let's try this:

Source port of packet is 0-512 = PIX will modify the packet to have a source port of 0-512

Source port of packet is 513-1024 = PIX will modify the packet to have a source port of 513-1024

Source port of packet is >1025 = PIX will modify the packet to have a source port of >1025

For an xlate count of less than 512 for a one ip address, issue shouldn’t occur then?

Correct. This issue is only seen when we have more that 512 xlates (assuming a source port of 53 in this case) that need to be PAT'ed. Most applications are going to use a random source port above 1025. As you can see from the chart above, there are a number of ports the PIX can use in these cases. The problem nly occurs when the application uses a source port below 1024 and generates a lot of packets at one time. Make sense?

When it drops the DNS packet is it in silent mode (not logged)? Would it drop packets randomly?

Nope, you will see the following syslog message referring to the fact that we were unable to create the translation:

%PIX-3-202001: Out of address translation slots!

The PIX will drop and log this message for all new packets that need to be PAT'ed until some of the source ports open up.

Hope this helps.

Scott

New Member

Re: Bug CSCdy52910

Hi Scott,

Thanks a lot. it was very helpfull.

Best regards,

Ouajih

86
Views
5
Helpful
4
Replies