[j-nsp] SRX 3600 dropped packets - how to debug?
Morgan McLean
wrx230 at gmail.com
Wed May 29 15:24:16 EDT 2013
Side note on the DNS ALG, RHEL 6 doesn't like the SRX DNS ALG. RHEL 6 makes
both A and AAAA lookups for each name resolution in the same connection,
resulting in two requests being sent out, one response being received and
the session closing, cutting off the second response. This causes a 5-10
second time out for every name resolution on the server.
There is a flag you can set under the resolv.conf to require a new socket
per query, or you can turn off the DNS ALG. Could also custom define a DNS
service that times out in 10 seconds or something?
Morgan
On Wednesday, May 29, 2013, Phil Mayers wrote:
> On 28/05/13 14:57, Phil Mayers wrote:
>
> I have my suspicions about what exactly the ALG is (mis)counting as a
>> drop, and will be trying to reproduce it on the bench now it's been
>> taken out of service.
>>
>
> All,
>
> Just to confirm that, as tested on the bench on SRX 3600 and JunOS
> 12.1R6.5 *all* packets processed by the DNS alg count as a "drop" in the
> output of "show security flow statistics", even though they're forwarded
> correctly.
>
> The SUNRPC alg seems to do the same; presumably the all do.
>
> So, if you have any ALGs enabled, that counter is misleading, and if you
> don't, DNS packets will consume a lot of your sessions.
>
> This is demo model so I can't open a support case, but when the real kit
> arrives, maybe I will...
> ______________________________**_________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>
More information about the juniper-nsp
mailing list