>where is your dns server located ?

the dns server is outside the network

>Is the firewall nating the server address ?

>You should either nat on the firewall the server addresses or nat on the CSS from server to vip.

the firewall is translating a public ip address to the vip address on the content switch and the services on the content switch are pointed to the same vip address.

Thanks for looking at this.

-T

so you have a group on the CSS to nat the service to a vip.

You should have command like

group

add service

..

active

if you do and the problem is still there is it possible for you to sniff the traffic between css and firewall to css if the css correctly nat the dns querry and if it gets a response.

I need to know which one is not forwarded correctly [query or response].

You can also try the command 'dnsflow disable' but I doubt it will work.

Another command to try is 'flow-state 53 udp flow-disable nat-enable' but it does exist in all versions.

Thanks,

Gilles.

we have the groups with the appropriate services that are active...

i think this is a name resolution issue, i take the dns off of the servers behind the CSS and they are able to run the route command like gangbusters, but if I add a public DNS server to the /etc/resolve.conf it stalls.

i am unable to ping www.yahoo.com from the servers while they are behind the CSS.

i see in the docs for rev 7.40 that there are a host of dns commands...

I have configured the primary and secondary DNS servers but everytime i try to add any of the other dns commands I get a license conflict error.

I think i would be able to resolve my DNS resolution issues if I could figure out a way to get the servers be able to do DNS resolution, or have the CSS act as a DNS forwarder.

how can I get there from here?

Thanks in advance,

Timur

also I have name resolution on the CSS, but not on the servers behind it.

What to try next?

-t