[nsp] Pix 6.3(3) and UDP issues

Scott Morris swm at emanon.com
Thu Sep 25 08:41:54 EDT 2003 

Yup, that's correct.  I saw it more with incoming connections than
outgoing, but I didn't really spend much time sifting through the
thousands and thousands of DNS connections still open LONG after they
should have been closed. :)

The problem seemed to be specific to DNS though.  I have plenty of other
UDP connections along the way, and they don't have lingering connection
problems.  And rather than changing OS versions, I just did the no fixup
to the dns protocol and that made the problem go away (along with
clearing xlate for my DNS servers to quickly clear connections there).  

So now I'm running along with about 30,000 fewer connections than
yesterday. :)

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Olav Langeland
Sent: Thursday, September 25, 2003 8:17 AM
To: tgrace at tgrace.com; swm at emanon.com; cisco-nsp at puck.nether.net
Subject: RE: [nsp] Pix 6.3(3) and UDP issues


Hi,

could you explain more about what kind of problems you had, and how
disabling fixup dns helped? To me the issue seems to be timeout of UDP,
or lack of it. DNS traffic is thrown away immediately after the
request/answer is complete on 6.2(2) and 6.3(1), but with 6.3(3) the
connections seems to stay connected. We saw DNS requests (outgoing) that
had been finished minutes ago still listed as idle=0 on "show conn".
Disabling fixup dns solves this completely?

-olav

-----Original Message-----
From: Terry Grace [mailto:tgrace at tgrace.com]
Sent: 24. september 2003 22:10
To: swm at emanon.com; Olav Langeland; cisco-nsp at puck.nether.net
Subject: RE: [nsp] Pix 6.3(3) and UDP issues


Disabling dns fixup fixed it for us.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Morris
Sent: Wednesday, September 24, 2003 1:43 PM
To: 'Olav Langeland'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] Pix 6.3(3) and UDP issues


Kinda cool actually, but I'm seeing the exact same thing.  Granted,
26,000 of the connections were to one particular host in Australia who
really doesn't have much business looking for my DNS anyway...  But not
killing the connections is still a bad thing.  :)

I had not noticed the problem previously with 6.3(1), so it may not need
to be a downgrade to 6.2, but I'll be testing that out!

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP, JNCIS, et al. IPExpert CCIE Program Manager IPExpert Sr.
Technical Instructor swm at emanon.com/smorris at ipexpert.net
http://www.ipexpert.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Olav Langeland
Sent: Wednesday, September 24, 2003 12:36 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] Pix 6.3(3) and UDP issues


We upgraded to 6.3(3) on our Pixes last week, and immediately saw a huge
increase in reported connections. The problem seemed to be UDP port 53
(DNS) sessions that would not timeout. The connection count increased
slowly but steadily, and today the CPU went skyhigh and we were forced
to downgrade to 6.2 which had proven to be stable. We checked around a
bit, and heard other stories about which was more or less the same, with
users forced to downgrade. We are a hosting company with fairly large
scale DNS and shared Web so UDP traffic is high.

Has anyone had the same issues/problems? Pix 6.3(1) is most likely our
next step, until we get a confirmed new version or a workaround.

olav langeland - active isp - olav.langeland at no.spam.activeisp.com

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list