Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
1
Replies

Windows 2003 SP1 DNS root queries through PIX 515E

rfranzke
Level 1
Level 1

‎07-12-2005 01:21 PM - edited ‎02-21-2020 12:15 AM

I have a PIX 515E with 6.3.4 code running on it. We are having intermittent problems with DNS resolution for external domains. I am trying to determine if this is related to a problem with the PIX or if it simply buggy software on the DNS servers. We have dual DNS servers here running Windows 2003 Server SP1. It seems that at random times both DNS servers cannot run external queries to root servers for external domains. I would say it has to do with the MS DNS service if it weren't for both of them failing at the same time. I was wondering if anyone is having similar issues. My troubleshooting has been limited as most times this occurs I have to get it fixed pretty quick and do not have an opportunity to troubleshoot. The fix seems to be restarting the MS DNS service, which leads me back to the DNS service itself. Also my PIX is using a 1024KB UDP DNS packet size and DNS fixup so I don't think this is related to the known problem of DNS reply packets over 1024 KB getting dropped on the PIX. Anyone else having these types of issues? Thanks in advance and sorry for the lack of information.

0 Helpful
1 Reply 1

rfranzke
Level 1
Level 1

‎07-13-2005 06:16 AM

OK, this happened again. I was able to determine that it is definitely the PIX causing the problem. I looked at the PIX logs and noticed XLATE messages like the following:

106011: Deny inbound (No xlate) udp src outside:x.x.x.x/64962 dst outside:x.x.x.x/53

The odd thing is that this happens at random times. Our internal DNS servers make requests to external DNS servers. Those request replies are getting dropped at the PIX and the NO XLATE messages are getting logged. This time to fix it I cleared the XLATE table and DNS started working again. The no XLATE messages do not make sense to me as the show src and dst as being on the outside interface. This may be OK as the replies are srced on the outside as well as destined for the Outside. But when the PIX gets the reply packet, it does not seem to have a translate in its table and drops it. Cannot see what would be causing this to happen. Anyone else with this same issue?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card