[j-nsp] SRX 3600 dropped packets - how to debug?
Julien Goodwin
jgoodwin at studio442.com.au
Tue May 28 09:40:00 EDT 2013
On 28/05/13 19:40, ashish verma wrote:
>> That said, I can't believe the firewall was *actually* dropping 1500pps of
>> DNS traffic; we'd have widespread problems reported, surely. So, it seems
>> that maybe ALG-processed traffic is being counted under "packets dropped"
>> for "show security flow statistics"?
eDNS fallback perhaps?
I never understood the use of DNS ALG's, unless it's to perform a NAT
translation on addresses (which is a really bad idea) they just seem
like a waste of valuable resources. Far better to ACL down so that DNS
queries can only go to trusted DNS servers which can run something that
doesn't break on a malformed query.
--
Julien Goodwin
Studio442
"Blue Sky Solutioneering"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20130528/0d1f8afd/attachment.sig>
More information about the juniper-nsp
mailing list