multiple queries causing problems with PIX.
Bill Larson
blarson at aps.edu
Fri Apr 23 19:14:01 UTC 2004
Known problem with the PIX. PIX drops all UDP datagrams that are
greater than 512 bytes long. This is an issue for some DNS query
situations.
You are supposed to be able to contact Cisco and get an update which
corrects this.
Bill Larson
On Apr 23, 2004, at 12:43 PM, Joel wrote:
> Hi,
>
> I'm having a problem with my PIX when bind makes multiple queries in
> quick succession. On the inside of the firewall we are running
> and old and dusty 8.4.4. If this forwards more than one request to
> the outside system then only the first response gets back in.
> The firewall blocks the rest. I have dns fixup turned off but
> you can't bypass DNS Guard. Has anyone else seen this problem?
> Is there a work around I can use? I suppose I could, dare I
> say it, use a different port to side step part of the problem.
> It would still be an issue when I query a root server or my
> ISP.
>
> Should I just ignore this? It seems like things are working and
> when a response gets dropped bind picks a different server and
> tries again. It only seems to do this for some of the dropped
> responses. If it's safe to ignore it I'll try to configure the
> PIX not to log these warnings and just pretend it never happened.
>
> Thanks for any light you can shed on this.
> - Joel
>
More information about the bind-users
mailing list