[j-nsp] SRX 3600 dropped packets - how to debug?

Morgan McLean wrx230 at gmail.com
Wed May 29 16:41:18 EDT 2013 

Ya, I'm not saying it's specific to RHEL 6, but we realized the proverbial
pain in the ass when we started doing some early testing with it.

Interestingly enough, we didn't hit the issue on our core firewall, it was
only when coming from the edge firewall. The edge is a 650 cluster running
10.4R3.4 and the core is a 3600 cluster running 10.4R7.5. Now, the zone it
was tested in at the core had an any/any policy to the zone where the DNS
servers are, but I doubt that has anything to do with this.

Very possible its just old code, we are on pretty old revisions. Still need
to schedule the maintenance window :).

Morgan


On Wed, May 29, 2013 at 12:35 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> On 29/05/2013 20:24, Morgan McLean wrote:
>
>> Side note on the DNS ALG, RHEL 6 doesn't like the SRX DNS ALG. RHEL 6
>> makes both A and AAAA lookups for each name resolution in the same
>> connection, resulting in two requests being sent out, one response being
>> received and the session closing, cutting off the second response. This
>> causes a 5-10 second time out for every name resolution on the server.
>>
>
> That's not RHEL6-specific. glibc has done A/AAAA lookups like this for a
> while now, and I've had problems with other stateful devices (load
> balancers in front of DNS recursive servers) as a result.
>
> See also https://bugzilla.redhat.com/**show_bug.cgi?id=505105<https://bugzilla.redhat.com/show_bug.cgi?id=505105>
>
> In addition, my testing boxes *were* RHEL6 and the DNS alg seemed to be
> forwarding them fine - indeed, during my testing I saw other hosts sending
> tens of DNS requests down the same socket pair, and all were forwarded fine.
>
> Are you running an older JunOS - maybe they fixed it?
>
>
>
>> There is a flag you can set under the resolv.conf to require a new
>> socket per query, or you can turn off the DNS ALG. Could also custom
>> define a DNS service that times out in 10 seconds or something?
>>
>
> Even a 10 second timeout results in a significant rise in sessions - we
> tested exactly that.
>



-- 
Thanks,
Morgan

More information about the juniper-nsp mailing list