[nsp] Pix 6.3(3) and UDP issues

tgrace tgrace at tgrace.com
Thu Sep 25 10:04:21 EDT 2003 

Yes, same symptoms here. Not sure if the queries were answered or not as it
was one of those fix it and figure it out later situations. We initially
thought some type of dns DOS but the stale connections were from only two or
three external hosts. Our resolution was to disable dns fixup and clear the
xlate table.

We also experienced what appear to be denials of packets from established
connections, mostly mail servers. Random drops of packets from a high port
on an external mail server to port 25 on an NAT'd mail server. Similar type
of thing with DNS queries from internal hosts (being PAT'd) to a dns server
in a dmz. The resolution to each of those was an explict rule allowing the
return traffic.

We're in the process of opening a TAC case on it and will probably back rev
to 6.3(1) on the weekend.

-----Original Message-----
From: Olav Langeland [mailto:Olav.Langeland at activeisp.com] 
Sent: Thursday, September 25, 2003 8:17 AM
To: tgrace at tgrace.com; swm at emanon.com; cisco-nsp at puck.nether.net
Subject: RE: [nsp] Pix 6.3(3) and UDP issues


Hi,

could you explain more about what kind of problems you had, and how
disabling fixup dns helped? To me the issue seems to be timeout of UDP, or
lack of it. DNS traffic is thrown away immediately after the request/answer
is complete on 6.2(2) and 6.3(1), but with 6.3(3) the connections seems to
stay connected. We saw DNS requests (outgoing) that had been finished
minutes ago still listed as idle=0 on "show conn". Disabling fixup dns
solves this completely?

-olav

-----Original Message-----
From: Terry Grace [mailto:tgrace at tgrace.com]
Sent: 24. september 2003 22:10
To: swm at emanon.com; Olav Langeland; cisco-nsp at puck.nether.net
Subject: RE: [nsp] Pix 6.3(3) and UDP issues


Disabling dns fixup fixed it for us.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Morris
Sent: Wednesday, September 24, 2003 1:43 PM
To: 'Olav Langeland'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] Pix 6.3(3) and UDP issues


Kinda cool actually, but I'm seeing the exact same thing.  Granted, 26,000
of the connections were to one particular host in Australia who really
doesn't have much business looking for my DNS anyway...  But not killing the
connections is still a bad thing.  :)

I had not noticed the problem previously with 6.3(1), so it may not need to
be a downgrade to 6.2, but I'll be testing that out!

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al. IPExpert CCIE Program Manager IPExpert Sr. Technical
Instructor swm at emanon.com/smorris at ipexpert.net
http://www.ipexpert.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Olav Langeland
Sent: Wednesday, September 24, 2003 12:36 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] Pix 6.3(3) and UDP issues


We upgraded to 6.3(3) on our Pixes last week, and immediately saw a huge
increase in reported connections. The problem seemed to be UDP port 53
(DNS) sessions that would not timeout. The connection count increased slowly
but steadily, and today the CPU went skyhigh and we were forced to downgrade
to 6.2 which had proven to be stable. We checked around a bit, and heard
other stories about which was more or less the same, with users forced to
downgrade. We are a hosting company with fairly large scale DNS and shared
Web so UDP traffic is high.

Has anyone had the same issues/problems? Pix 6.3(1) is most likely our next
step, until we get a confirmed new version or a workaround.

olav langeland - active isp - olav.langeland at no.spam.activeisp.com

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list