[c-nsp] ACE & load-balancing of DNS / ALG / inspection

Andrew Yourtchenko ayourtch at cisco.com
Wed Jun 24 15:33:13 EDT 2009


On Wed, 24 Jun 2009, Phil Mayers wrote:

>>  So, it seems to be some kind of analogous feature to TCP SYN protect or
>>  such like, to protect a client flooding a server.
>
> All,
>
> Cisco have identified this as a bug, fixed in 1.5 - CSCsw52831 / CSCsu42225 
> "udp packets are dropped by ace". It's a timing-related issue in session 
> setup.
>
> Many thanks to the guys at TAC, who were extremely quick and effective on 
> this, and thanks to all who gave suggestions on the list.

Kudos to Phil for excellent work together! It was a very good bug hunt. 
Luckily it was even already fixed, and was not something burnt in 
hardware.

As I've blatantly self-appointed myself to track the ipv6-related 
matters in TAC as much as I can, if anyone on the list has something on 
the topic, feel free to drop an email to me with the case#, I'll ensure I 
keep an eye on it. (disclaimer for the archives: this statement may no 
longer be applicable in 2020 :)

looking a bit further -  to all:

1) If the A/AAAA bang-bang lookup over a single 4-tuple is an issue for 
anyone with other our other devices, I'd like to know ASAP.

2) what if the endboxes were doing the A and AAAA from two separate ports 
? I see two clear disadvantages - doubling the state on the "dumber NAPT" 
boxes, and "more work for glibc folks" - assuming the biggest problem is 
the first, how big is it for real-life deployments ?

thanks,
andrew


More information about the cisco-nsp mailing list