[nsp] Pix 6.3(3) and UDP issues

Olav Langeland Olav.Langeland at activeisp.com
Thu Sep 25 08:17:09 EDT 2003 

Hi,

could you explain more about what kind of problems you had, and how
disabling fixup dns helped? To me the issue seems to be timeout of UDP,
or lack of it. DNS traffic is thrown away immediately after the
request/answer is complete on 6.2(2) and 6.3(1), but with 6.3(3) the
connections seems to stay connected. We saw DNS requests (outgoing) that
had been finished minutes ago still listed as idle=0 on "show conn".
Disabling fixup dns solves this completely?

-olav

-----Original Message-----
From: Terry Grace [mailto:tgrace at tgrace.com]
Sent: 24. september 2003 22:10
To: swm at emanon.com; Olav Langeland; cisco-nsp at puck.nether.net
Subject: RE: [nsp] Pix 6.3(3) and UDP issues


Disabling dns fixup fixed it for us.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Morris
Sent: Wednesday, September 24, 2003 1:43 PM
To: 'Olav Langeland'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] Pix 6.3(3) and UDP issues


Kinda cool actually, but I'm seeing the exact same thing.  Granted,
26,000
of the connections were to one particular host in Australia who really
doesn't have much business looking for my DNS anyway...  But not killing
the
connections is still a bad thing.  :)

I had not noticed the problem previously with 6.3(1), so it may not need
to
be a downgrade to 6.2, but I'll be testing that out!

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP,
JNCIS, et al. IPExpert CCIE Program Manager IPExpert Sr. Technical
Instructor swm at emanon.com/smorris at ipexpert.net
http://www.ipexpert.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Olav Langeland
Sent: Wednesday, September 24, 2003 12:36 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] Pix 6.3(3) and UDP issues


We upgraded to 6.3(3) on our Pixes last week, and immediately saw a huge
increase in reported connections. The problem seemed to be UDP port 53
(DNS) sessions that would not timeout. The connection count increased
slowly
but steadily, and today the CPU went skyhigh and we were forced to
downgrade
to 6.2 which had proven to be stable. We checked around a bit, and heard
other stories about which was more or less the same, with users forced
to
downgrade. We are a hosting company with fairly large scale DNS and
shared
Web so UDP traffic is high.

Has anyone had the same issues/problems? Pix 6.3(1) is most likely our
next
step, until we get a confirmed new version or a workaround.

olav langeland - active isp - olav.langeland at no.spam.activeisp.com

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list