Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX DNS Timeout

Here is the problem:

I have a PIX 520 with a HTTP Proxy (MS ISA Server) behind it. The Proxy is dynamically natted to go out to the internet. The setup works for a while after which it fails to resolve host names.

Funnily, I can do a lookup using 'nslookup' but a 'ping www.yahoo.com' yields 'unknown host' error. From what I understand, the dns queries are timing out. I can ping and browse using the IP addresses, so it is definitely a dns timeout problem.

I tried increasing the timeout of UDP to 3 minutes from 2 minutes. But that didn't help.

Any ideas or workarounds?

TIA,

Siddhartha

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

logging on

logging trap debugging

logging host inside 172.16.32.109

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 203.124.144.3 255.255.255.128

ip address inside 172.16.32.246 255.255.252.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

pdm location 172.16.32.109 255.255.255.255 inside

pdm location 172.16.0.0 255.255.0.0 inside

pdm location 172.16.32.165 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 203.124.144.4 netmask 255.255.255.255

nat (inside) 1 172.16.32.109 255.255.255.255 0 0

nat (inside) 1 172.16.32.165 255.255.255.255 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 203.124.144.1 1

route inside 172.16.0.0 255.255.0.0 172.16.32.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol tacacs+

http server enable

http 172.16.32.109 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 172.16.32.109 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:852686439834eb4795b602ddb881f4e9

: end

8 REPLIES

Re: PIX DNS Timeout

Do a clear xlate, then try a web site, and then do a show xlate and show conn to see if traffic is going through. You can also turn on logging to see in detail what's going on.

As a side note, change your community string from the default public (security problems).

Let use know what the show and debug show.

Steve

New Member

Re: PIX DNS Timeout

A 'clear xlate' does not help.

The setup works fine for while and then this problem starts appearing. I can browse sites using IP addresses but not hostnames. But from the command-line 'nslookup' works.

Also, if I replace the PIX with a MS ISA FIrewall, things work fine.

Are there any documented issues of PIX not being able to handle over-sized UDP packets?

New Member

Re: PIX DNS Timeout

Hi

We experienced the exact same issue. In fact we are using 520 with 6.1(4) ... Did you solved the problem ? ... any advice ?

Best Regards

Alexi

New Member

Re: PIX DNS Timeout

I think we had this problem recently as well and I found the following (I just can't remember where in CCO). Let me know if this helps you.

Norman

5. IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse

DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently.

For example, if a global IP address is 175.1.1.3 and the domain name for the PIX firewall is pix.caguana.com, the PTR record would be:

3.1.1.175.in-addr.arpa. IN PTR pix3.caguana.com

4.1.1.175.in-addr.arpa. IN PTR pix4.caguana.com so on.

And this is from the DNS Records Document:

Pointer

Unlike the other SOA records, Pointer (PTR) records are used only in reverse (IN-ADDR.ARPA) domains. There must be exactly one PTR record for each Internet address. For example, if the host gadzooks.poetry.arizona.edu has an IP address of 128.196.47.55, then there must be a PTR record for it in the following format:

55.47.196.128.IN-ADDR.ARPA. IN PTR gadzooks.poetry.arizona.edu.

Reverse domains contain mainly PTR records (plus SOA and NS records at the top.)

The Berkeley r-utilities use the value of the PTR record for hostname authentication. Although DNS specifies that case is not significant in host names, be aware that some operating systems are sensitive to host name case.

New Member

Re: PIX DNS Timeout

Ok ... will try , but let me figure it out .

As I see, your explanation means that when we have a global something happens and finally someone in the Internet queries the name for that IP ... you know why ?

Best Regards

New Member

Re: PIX DNS Timeout

Not really. Sorry.

Norman

New Member

Re: PIX DNS Timeout

Ok ... but that's the way you solved it right ?

Regards

Alexi

New Member

Re: PIX DNS Timeout

Check out this URL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094317.shtml

If that link doesn't work, seach Cisco's page for "IDENT protocol"

148
Views
0
Helpful
8
Replies
CreatePlease to create content