The person who filed this DDTS saw that the PIX would drop the DNS responses for a period of time. The problem stems from the fact that the DNS server was sending the packets from a fixed port such as 53. When the PIX tries to PAT these packets, we use the range from 1-512. If the DNS server responds to more than 512 queries in a 30 second period, the PAT xalte pool is exhausted and we have to wait for them to clear. This defect has been fixed in 6.3(3) code. Hope this helps.
Source port of packet is 0-512 = PIX will modify the packet to have a source port of 0-512
Source port of packet is 513-1024 = PIX will modify the packet to have a source port of 513-1024
Source port of packet is >1025 = PIX will modify the packet to have a source port of >1025
For an xlate count of less than 512 for a one ip address, issue shouldnt occur then?
Correct. This issue is only seen when we have more that 512 xlates (assuming a source port of 53 in this case) that need to be PAT'ed. Most applications are going to use a random source port above 1025. As you can see from the chart above, there are a number of ports the PIX can use in these cases. The problem nly occurs when the application uses a source port below 1024 and generates a lot of packets at one time. Make sense?
When it drops the DNS packet is it in silent mode (not logged)? Would it drop packets randomly?
Nope, you will see the following syslog message referring to the fact that we were unable to create the translation:
%PIX-3-202001: Out of address translation slots!
The PIX will drop and log this message for all new packets that need to be PAT'ed until some of the source ports open up.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...