Question Djerk: why are you running your firewalls in active/active?
This is an unusual configuration that has many challenges, including the
one you've just mentioned.
Regards
Robby
On 2025/05/12 15:04, Djerk Geurts via Pdns-users wrote:
An odd statement possibly, but I’m looking for a way to solve a
problem (even if it’s a temporary solution).
The DC firewalls have changed and the recursors are located in a DMZ
behind two HA firewalls in active/active mode. So far so good. The
firewalls sync their state tables, so asymmetric return traffic works
fine. Except when the recursor replies so quickly that the sync hasn’t
updated the state table yet for the return packets. As a result we’re
seeing a few drops among a lot of perfectly fine traffic.
I have a few things I can do:
1) permit all outbound traffic with source udp/53 from the recursors.
Not ideal, but low risk.
2) raise a support ticket with the firewall vendor. Will do this, but
not holding my breath for a solution (if any)
3) delay DNS replies a millisecond or so. Not ideal as this introduces
delay.
Thoughts?
--
Best regards,
*Djerk Geurts*
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
