[j-nsp] SRX 3600 dropped packets - how to debug?
OBrien, Will
ObrienH at missouri.edu
Tue May 28 09:51:51 EDT 2013
The primary use of the dns alg is to reduce session count. This is very apparent on net screens. I reduced 500k sessions down to 400k by turning it on. That said, you can achieve similar results by setting dns specific policies with short timeouts.
Will
On May 28, 2013, at 8:41 AM, "Julien Goodwin" <jgoodwin at studio442.com.au> wrote:
> On 28/05/13 19:40, ashish verma wrote:
>>> That said, I can't believe the firewall was *actually* dropping 1500pps of
>>> DNS traffic; we'd have widespread problems reported, surely. So, it seems
>>> that maybe ALG-processed traffic is being counted under "packets dropped"
>>> for "show security flow statistics"?
>
> eDNS fallback perhaps?
>
> I never understood the use of DNS ALG's, unless it's to perform a NAT
> translation on addresses (which is a really bad idea) they just seem
> like a waste of valuable resources. Far better to ACL down so that DNS
> queries can only go to trusted DNS servers which can run something that
> doesn't break on a malformed query.
>
>
> --
> Julien Goodwin
> Studio442
> "Blue Sky Solutioneering"
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list