Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
3
Replies

DNS query problem in FWSM

raymond1234
Level 1
Level 1

‎01-31-2006 10:12 AM - edited ‎03-09-2019 01:48 PM

Hi, Thanks for this information.

We have a unique problem in our network. DNS queries are not resolving intermittently. Everything works fine for a day. And suddenly nobidy can able to connect to the internet. Once we issue command "Clear xlate" on the FWSM we are able to go to the internet for one more day. We have FWSM as our firewall and all the hosts inside the network are PATed. Our internal DNS Server is pointed to the outside DNS server 4.2.2.2 for outside queries. So for every queries internal DNS will send the query to the outside DNS. This is the setup.

During the problem, we captured the Connections in FWSM by

"Sh conn" command

it shows lots of following DNS connections

UDP out 4.2.2.3:53 in 172.16.5.28:3869 idle 0:00:42 Bytes 36

FLAGS - D

UDP out 4.2.2.1:53 in 172.16.5.29:1869 idle 0:00:50 Bytes 36

FLAGS - D

UDP out 4.2.2.3:53 in 172.16.5.28:3869 idle 0:01:12 Bytes 36

FLAGS - D

UDP out 4.2.2.1:53 in 172.16.5.29:1869 idle 0:01:33 Bytes 36

FLAGS - D

UDP out 4.2.2.1:53 in 172.16.5.29:1869 idle 0:01:24 Bytes 36

FLAGS - D

UDP out 4.2.2.3:53 in 172.16.5.28:3869 idle 0:00:29 Bytes 36

FLAGS - D

UDP out 4.2.2.2:53 in 172.16.5.29:1869 idle 0:00:49 Bytes 36

FLAGS - D

UDP out 4.2.2.3:53 in 172.16.5.28:3869 idle 0:01:51 Bytes 36

FLAGS - D

UDP out 4.2.2.2:53 in 172.16.5.29:1869 idle 0:00:48 Bytes 36

FLAGS - D

UDP out 4.2.2.2:53 in 172.16.5.29:1869 idle 0:01:47 Bytes 36

FLAGS - D

UDP out 4.2.2.3:53 in 172.16.5.28:3869 idle 0:00:24 Bytes 36

FLAGS - D

UDP out 4.2.2.1:53 in 172.16.5.29:1869 idle 0:01:47 Bytes 36

FLAGS - D

UDP out 192.168.255.255:138 in 192.168.18.20:138 idle 0:00:46 Bytes 2946

FLAGS -

UDP out 4.2.2.2:53 in 172.16.5.29:1869 idle 0:00:23 Bytes 36

FLAGS - D

UDP out 4.2.2.1:53 in 172.16.5.29:1869 idle 0:01:50 Bytes 36

FLAGS - D

UDP out 4.2.2.2:53 in 172.16.5.29:1869 idle 0:01:23 Bytes 36

FLAGS - D

UDP out 4.2.2.1:53 in 172.16.5.29:1869 idle 0:00:27 Bytes 36

FLAGS - D

once you do "Clear xlate" everything is normal.

Please let me know if anybody knows what the issue was ?

Thanks

Labels:
0 Helpful
3 Replies 3

d.valsania
Level 1
Level 1

‎01-31-2006 01:30 PM

hi

try to change the default value of 3 hours in 3/5 minute:

"timeout xlate 3:00:00"

in

"timeout xlate 0:03:00"

or if nothing happen

do

"no fixup protocol dns"

hope this help

ciao

davide

0 Helpful

raymond1234
Level 1
Level 1
In response to d.valsania

‎02-06-2006 02:16 PM

Thanks for your

I did this. But still we are getting this problem.

Please help us to resolve this problem.

Thanks

0 Helpful

d.valsania
Level 1
Level 1
In response to raymond1234

‎02-06-2006 11:21 PM

hi

two other things that help me to resolve a similar issue:

* have you tried the c6svc-fwm-k9.2-3-3-2.bin? (if not upgrade!)

* try fixup protocol dns maximum-length 1500 (the default is 512 and the fwsm drop packets that are larger than the configured maximum length)

ciao

davide

0 Helpful
Customers Also Viewed These Support Documents