Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 6.3(3) and UDP issues

We upgraded to 6.3(3) on our Pixes and saw a huge

increase in reported connections. The problem seemed to be UDP port 53 (DNS) sessions that would not timeout. The connection count is more than 10000 and this is seen when we do sh conn.On checking the ip which are making connection to our domain contollers are all the adv sites.The only way to clear is doing clear xlate but again the upd connection keeps on increasing and increasing.We tried to block the address on the external router but than again the connections are seen from the different address.We have blocked more than than hosts but it doesn't seem to resolove the issue.

Awaiting a feedback.

Thanks and Regards

Bhavin

2 REPLIES
Gold

Re: Pix 6.3(3) and UDP issues

Hi,

Try to disable DNS fixup and see if you get the problem:

The [no] fixup protocol dns [maximum-length <512-65535>] command can be used to enable/disable

the DNS fixup.

Based on this maximum-length configured by the user, the DNS fixup checks to see if the DNS packet

length is within this limit. Every UDP DNS packet (request/response) undergoes the above check.

The PIX Firewall drops DNS packets sent to UDP port 53 that are larger than the configured maximum

length. The default value is 512 bytes.

If DNS fixup is disabled, the Address record (A-record) is not NATed and the DNS ID is not matched in

requests and responses. By disabling DNS fixup, the maximum length check on UDP DNS packets is

bypassed and packets greater than the maximum length configured are permitted.

Thanks – Jay.

Re: Pix 6.3(3) and UDP issues

Hi,

Excellent analysis and your problem description is dead on. This is a bug in the 6.3(3) PIX code. The ID for this DDTS is CSCec45748. The problem is that we are improperly resetting the idle timer for old DNS conns when new DNS conns come in. This bug has been resolved in the latest 6.3(3) interim build. Please open a TAC case and request the latest 6.3(3) interim build for this issue. Good luck and sorry for the problems.

Scott

87
Views
0
Helpful
2
Replies
CreatePlease login to create content