Side note on the DNS ALG, RHEL 6 doesn't like the SRX DNS ALG. RHEL 6 makes both A and AAAA lookups for each name resolution in the same connection, resulting in two requests being sent out, one response being received and the session closing, cutting off the second response. This causes a 5-10 second time out for every name resolution on the server.
There is a flag you can set under the resolv.conf to require a new socket per query, or you can turn off the DNS ALG. Could also custom define a DNS service that times out in 10 seconds or something? Morgan On Wednesday, May 29, 2013, Phil Mayers wrote: > On 28/05/13 14:57, Phil Mayers wrote: > > I have my suspicions about what exactly the ALG is (mis)counting as a >> drop, and will be trying to reproduce it on the bench now it's been >> taken out of service. >> > > All, > > Just to confirm that, as tested on the bench on SRX 3600 and JunOS > 12.1R6.5 *all* packets processed by the DNS alg count as a "drop" in the > output of "show security flow statistics", even though they're forwarded > correctly. > > The SUNRPC alg seems to do the same; presumably the all do. > > So, if you have any ALGs enabled, that counter is misleading, and if you > don't, DNS packets will consume a lot of your sessions. > > This is demo model so I can't open a support case, but when the real kit > arrives, maybe I will... > ______________________________**_________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp> > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
