Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX DNS Timeout

Here is the problem:

I have a PIX 520 with a HTTP Proxy (MS ISA Server) behind it. The Proxy is dynamically natted to go out to the internet. The setup works for a while after which it fails to resolve host names.

Funnily, I can do a lookup using 'nslookup' but a 'ping' yields 'unknown host' error. From what I understand, the dns queries are timing out. I can ping and browse using the IP addresses, so it is definitely a dns timeout problem.

I tried increasing the timeout of UDP to 3 minutes from 2 minutes. But that didn't help.

Any ideas or workarounds?



: Saved


PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


pager lines 24

logging on

logging trap debugging

logging host inside

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside

failover ip address inside

pdm location inside

pdm location inside

pdm location inside

pdm history enable

arp timeout 14400

global (outside) 1 netmask

nat (inside) 1 0 0

nat (inside) 1 0 0

conduit permit icmp any any

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol tacacs+

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80


: end


Re: PIX DNS Timeout

Do a clear xlate, then try a web site, and then do a show xlate and show conn to see if traffic is going through. You can also turn on logging to see in detail what's going on.

As a side note, change your community string from the default public (security problems).

Let use know what the show and debug show.


New Member

Re: PIX DNS Timeout

A 'clear xlate' does not help.

The setup works fine for while and then this problem starts appearing. I can browse sites using IP addresses but not hostnames. But from the command-line 'nslookup' works.

Also, if I replace the PIX with a MS ISA FIrewall, things work fine.

Are there any documented issues of PIX not being able to handle over-sized UDP packets?

New Member

Re: PIX DNS Timeout


We experienced the exact same issue. In fact we are using 520 with 6.1(4) ... Did you solved the problem ? ... any advice ?

Best Regards


New Member

Re: PIX DNS Timeout

I think we had this problem recently as well and I found the following (I just can't remember where in CCO). Let me know if this helps you.


5. IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse

DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently.

For example, if a global IP address is and the domain name for the PIX firewall is, the PTR record would be: IN PTR IN PTR so on.

And this is from the DNS Records Document:


Unlike the other SOA records, Pointer (PTR) records are used only in reverse (IN-ADDR.ARPA) domains. There must be exactly one PTR record for each Internet address. For example, if the host has an IP address of, then there must be a PTR record for it in the following format: IN PTR

Reverse domains contain mainly PTR records (plus SOA and NS records at the top.)

The Berkeley r-utilities use the value of the PTR record for hostname authentication. Although DNS specifies that case is not significant in host names, be aware that some operating systems are sensitive to host name case.

New Member

Re: PIX DNS Timeout

Ok ... will try , but let me figure it out .

As I see, your explanation means that when we have a global something happens and finally someone in the Internet queries the name for that IP ... you know why ?

Best Regards

New Member

Re: PIX DNS Timeout

Not really. Sorry.


New Member

Re: PIX DNS Timeout

Ok ... but that's the way you solved it right ?



New Member

Re: PIX DNS Timeout

Check out this URL

If that link doesn't work, seach Cisco's page for "IDENT protocol"

CreatePlease to create content