multiple queries causing problems with PIX.
Joel
jc517 at wmi.com
Fri Apr 23 19:24:48 UTC 2004
Bill Larson wrote:
>
> Known problem with the PIX. PIX drops all UDP datagrams that are
> greater than 512 bytes long. This is an issue for some DNS query
> situations.
>
This is a different problem. This is when two queries less than
512 bytes are asked for back to back. The second request goes out
before the first response comes back. What happens next is that
the first response comes back and the PIX closes the connection.
The second response is dropped on the floor. The syslog message
the PIX spits out is completely different in the two situations.
Cisco tech support says this is happening because the requests are
made using the same source port. DNS guard in the pix, which you
cannot bypass, closes the connection as soon as a response is received.
This is what led to the idea of using a different port for the in house
machines. Of course when I go to the root servers or my ISP I need to
use port 53.
- Joel
More information about the bind-users
mailing list