Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
5
Helpful
1
Replies

CSS: Flow-state / High number of UDP Flows

Sbutzek
Level 1
Level 1

‎05-23-2007 01:59 AM

Hi,

we have recently added a Application which is doing many DNS Requests.

So there are about 60.000 UDP DNS Flows in our flow-table and ran out of free Ports on our Group.

Our Configuration:

We have serval Applications

(Http-Proxy, Mailgateway, Ftp-Server)

which want to communicate with the Internet.

We do NAT those servers into one VIP via a source-group. We can not add more VIPs or separate those servers int a different group.

group nat-outgoing

vip address xxxx

add service http-1

add service http-2

add service http-3

add service notes-1

add service mail-1

add service mail-2

add service mail-3

flow-timeout-multiplier 19

active

We had to set the flow-timeout higher for HTTP, SMTP and FTP Connections.

The Mail Gateways do many DNS Request for check against SPAM. Each time a Flow-entry is created. (max 800/second)

I've looked into the command

flow-state 53 udp flow-disable nat-enable

which should disable creating flow-entrys for UDP Port 53 (DNS)

But i am not sure, if our source group does work after i disable the flow-state. The docs are not clear in that point.

What do i have to care about if i disable the flow-state for UDP 53?

Sven

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎05-23-2007 03:42 AM

Sven,

the group should work. That's the reason for the 'nat-enable' option.

It seems like the right solution to me.

Gilles.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card