cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7516
Views
4
Helpful
4
Replies

Ironport WSA reached maximum failures querying DNS server

Spaniard141
Level 1
Level 1

I have been seeing an increased number of critical alerts on my Ironport indicating that it has reached the maximum number of failures querying the DNS server. 

Has anyone seen this alerts before and/or know what causes them? I have not been able to find any information on the alert.

 

Thanks

4 Replies 4

Erik Ingeberg
Level 1
Level 1

We are seeing this alert as well, but we haven't had any complaints from the users.

I had a TAC case in July this year due to "Application Fault Errors", and my TAC engineer told me I was experiencing bug CSCzv44813. The solution was to change to Google DNS and reboot the appliance.

Now we are getting the "Reached maximum failures querying DNS server" messages from time to time.

Are you also using Google DNS (8.8.8.8 and 8.8.4.4.) by any chance?

Thanks for the reply Erik. No we don't use Google DNS on the Ironport, we use our internal DNS servers.

It happens randomly and I had seen the error a few times before but it just seemed as we were starting to see it more often. The TAC engineer I worked with did some testing from our appliance and found no issues querying our DNS servers during her testing. She cleared the cache on the appliance and we haven't seen the error since (11 days ago).

Hi!

Any news about this issue?

Regards.

Cleber

With regards to that DNS error, it is actually a new feature about DNS being introduced in version 8.x is to implement one feature request

"CSCzv40742: Feature Request: WSA should remember dead DNS servers². Prior to version 8.x, when an IronPort appliance is configured with two DNS servers, queries go to the primary DNS server first. If the query fails ,for example because the primary DNS server is offline, the query goes to the secondary DNS server.

However, all subsequent queries follow the same order first DNS server and then second one even the primary is offline. Intelligence is needed to ensure the query goes to the secondary DNS server immediately in such an event.

The proposed feature is to add such intelligence to the DNS querying mechanism. For example:

- allow user to configure thresholds related to failure-detection  :

"Enter the number of failed attempts before considering a local DNS server offline.² in CLI.

- restore original order when offline server is back online:   "Enter the interval in seconds for polling an offline local DNS server.² in CLI

Currently the additional configuration options related to failure thresholds will only be provided via CLI.

In Summary , WSA will only query the DNS servers with secondary priority while it is failed with primary DNS server, for example Non-exisiting domains. Therefore you will only receive such notification for the DNS servers with secondary priority. 

In roder to confirm this , you could enable WSA proxy logs with trace logging level from WSA GUI>System Administration>Log Subscription>proxy logs. As this logging

level will generate quite a lot information. Please restore it back to default

"Information" level after you receive the first new email alert for that DNS issue.

Hope it helps.