[j-nsp] SRX 3600 dropped packets - how to debug?
Phil Mayers
p.mayers at imperial.ac.uk
Wed May 29 15:35:33 EDT 2013
On 29/05/2013 20:24, Morgan McLean wrote:
> Side note on the DNS ALG, RHEL 6 doesn't like the SRX DNS ALG. RHEL 6
> makes both A and AAAA lookups for each name resolution in the same
> connection, resulting in two requests being sent out, one response being
> received and the session closing, cutting off the second response. This
> causes a 5-10 second time out for every name resolution on the server.
That's not RHEL6-specific. glibc has done A/AAAA lookups like this for a
while now, and I've had problems with other stateful devices (load
balancers in front of DNS recursive servers) as a result.
See also https://bugzilla.redhat.com/show_bug.cgi?id=505105
In addition, my testing boxes *were* RHEL6 and the DNS alg seemed to be
forwarding them fine - indeed, during my testing I saw other hosts
sending tens of DNS requests down the same socket pair, and all were
forwarded fine.
Are you running an older JunOS - maybe they fixed it?
>
> There is a flag you can set under the resolv.conf to require a new
> socket per query, or you can turn off the DNS ALG. Could also custom
> define a DNS service that times out in 10 seconds or something?
Even a 10 second timeout results in a significant rise in sessions - we
tested exactly that.
More information about the juniper-nsp
mailing list