We have placed our OS X 10.6 Server running DNS, Mail and Web server on the SA 540's LAN. After doing this we have had quite a few DNS problems, we get the following in the DNS Server log while e.g. trying to reach www.amazon.com from a browser on the server: (the browser hangs for about a minute until the following shows up in the log, and then the site loads)
10-Dec-2009 00:17:05.037 host unreachable resolving 'ns94.footprint.net/AAAA/IN': 2001:dc3::35#53
10-Dec-2009 00:17:05.038 host unreachable resolving 'ns94.footprint.net/AAAA/IN': 2001:500:2f::f#53
10-Dec-2009 00:17:05.114 success resolving 'ns94.footprint.net/AAAA' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets
10-Dec-2009 00:17:05.401 success resolving 'pdns6.ultradns.co.uk/AAAA' (in 'uk'?) after disabling EDNS
10-Dec-2009 00:17:05.404 success resolving 'ns96.footprint.net/AAAA' (in '.'?) after disabling EDNS
What I have been able to find on the net, is that people that have had the same problem changed some DNS cash settings on their router or some firewall setting in their firewall.
"Quote by: MacTroll
Your DNS server is attempting to use DNS-SEC, for validated DNS lookups. This requires a larger UDP packet size, >512 bytes, than your firewall seems to like. It then has to wait to both decide it needs to reduce packet size /and/ to get a negative result on the lookup."
"I had the same problem, after reading this and other posts I looked at my router config and enabled an option to reduce packet size for it's DNS caching, that seems to have resolved this issue for me"
"NOTE: Some older firewall firmware (such as Cisco PIX) will block all DNS packets with EDNS0 enabled.
If needed, you can disable EDNS0 in the Simple DNS Plus Options dialog / DNS / Miscellaneous section, but we highly recommend you get the firewall firmware updated instead."
I have not been able to find anything on the SA 540 that would make me do any similar changes. Any suggestions?
I tried to turn on Logging under Administration->logging but nothing shows up under Status->View Logs after that (btw, do logging work on this thing?)
SA 540 Firmware 1.0.39
BTW, I have tried this with out any firewall rules on the SA 540, with rules allowing TCP/UDP DNS(port 53) and with an allow all rule to the LAN, no changes. The server worked fine when we still had the Linksys RV042 working (dead power supply).
I am also getting DNS errors/slowness when accessing websites. Reloading the page usually does the trick. But it is very annoying. I am also waiting on a fix for the DMZ port. Very buggy system.
Using firmware 1.0.39
If you check your DNS Server log you might find the same issue as we have. Reloading also work for us, but that is because at that point the EDNS packet size have been throttled or turned off for that domain.
I got a private message from one of the Cisco engineers I called about this, he said that what he could gather so fare, the EDNS is more of a Enterprise feature and not for Small Business..... As I understand the EDNS and DNSSEC is a security feature and therefore I find it very strange that this SA 540 "Security" Appliance don't support it, but actually blocks it.
Selling Mediation, Rating and Billing software to Service Providers and Smart Grid Utilities we need as much security as we can get, not start turning it off to get the network to work.
Anyhow, we have now started testing the Vyatta Open Source router/firewall to se if that's the way to go. You have no idea how much that hurts after having worked with Cisco the last 10 years in my previous position as our company's Partner Manager for the Cisco Channel partner program.
We turned on debug logging on our Windows DNS server and are noticing DNS packet errors. Is Cisco looking into this issue and has any cases been opened for this? I believe it may even be affecting outgoing emails that are going through the box. I am getting strange e-mail kickbaks saying that e-mails are unroutable. Re-sending emails will usually work. May be coincidental but it could very well be related to the DNS issues that are going on.
We are currently looking into the DNS problem that is happening on the system. It has been escalated to development.
I am definitely voting for this (we have SA 520)!
This "feature" is very annoying, the 20-euro firewall we had previously worked a lot better (even though its through-put was a lot lower, at least all the DNS packages got through). Browsing web is a bit like running full speed against brick-wall -- speed is great, but when 10-20 % of the time you get "Server not found" error, it sort of spoils the effect. :-(
Is there any timeline on this issue?
It's odd to me that Cisco would put out a 'Small Business' device that can't properly handle DNS (integral to SMB networks) packets... having been a user of Watchguard equipment for years, but becoming frustrated with their licensing model, I decided to give this Cisco device a shot at one of my largest customers main office.... OUCH! They don't want to hear 'just reload the page 5 times and it will eventually display'. This obviously, also affecting any service with requires DNS lookups outside the network.
I spent the better part of the afternoon explaining to the owner of said company why a $600 device doesn't work...
Can you get a sniffer of this lookup from the LAN side of the SA500? If you can as well, get the sniffer at the same time for WAN port.
You can get one of these from the SA500, under Diagnostics, you can sniff packets.
I'm using SA520 and had this same problem (Firmware 1.0.39). I disabled the "Block UDP flood" option in Firewall - Attacks settings and the problem disappeared and the network is working much faster now.
In my network I only have 4 macs that are all under my direct supervision so I'm not so worried about UDP Flood attacks from within my network.
If it wouldn't be too much trouble for you, could you get what I was asking for as far as sniffers from both the WAN and LAN side of the box with the block udp flood enabled? I would appreciate it very much.
There is a new firmware available for this now. There was a change to the block udp flood that was causing this issue.
That should fix the issue.
I am encountering this same issue with the 1.1.42 firmware on a SA 540 - does anyone know if it has officially been resolved?
I just finished three weeks troubleshooting similar errors to you and I am employing a Cisco SA540 (FW 126.96.36.199) and it turns out the solution had to do with the UDP flood. This is on by default, but if you have your own internal DNS servers, then I was advised to turn it off because it was causing some sort of collision in DNS since I had my own servers doing the job. I disabled it and we have been sailing faster than ever before since:
FIREWALL --> ATTACKS
Remove tick from "Block UDP Flood"
I have received a few emails since from peers telling me it solved their DNS issues as well.