Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Packet Drop Intermittently Due to Rapid DNS Refresh and Policy Re-Install

0

0

Article ID: KB14458 KB Last Updated: 15 Mar 2013Version: 3.0
Summary:

Packet Drop Intermittently Due to Rapid DNS Refresh and Policy Re-Install

Symptoms:

Symptoms:

  • Pings through the device fail intermittently
  • Policy re-install in ScreenOS is occurring once every 10 seconds
  • DNS refresh is occurring once every 10 seconds
  • CPU spikes once every 10 seconds and the DNS task is being triggered
  • Debug flow basic shows packet passed matching a policy, but packet is dropped due to no matching policy, for the same source and destination IP pair
Solution:

This problem was manifested by Address Book Objects created using FQDN (Fully Qualified Domain Name) as the definition of the IP address.  For those domain names that have a very low TTL, it may cause the device to force a DNS refresh.  When a DNS refresh is required, this may cause a CPU spike (and DNS task will appear high).  This  will cause the entire policy list to be re-installed.  If a new session is attempted at the same time the policy is re-installed, it may cause a policy lookup failure, and therefore, cause the packet to be dropped.

If you run into this issue, try to remove the most recently added domain name address book object and replace it with the corresponding IP address in the policy.  Then check if the CPU levels off, and see if the packet drops stop. 

It is recommended to qualify domain names being used in an address book object, by performing a DNS lookup on those FQDN's, and observing the TTL value before implementing them in the firewall. You can view the TTL values by issuing the command, get dns host cache, on the firewall.  In the Address Book, it is recommended not to use those DNS names with very small TTL values.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search