SecureXL drops DNS packets when "Drop Optimization" and "DNS fast expiry feature" are enabled

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk105855
Product	SecureXL, Security Gateway, ClusterXL, Cluster - 3rd party, VSX
Version	R77, R77.10, R77.20, R77.30
OS	Gaia, SecurePlatform 2.6
Platform / Model	All
Date Created	26-Apr-2015
Last Modified	08-Feb-2017

Symptoms

SecureXL drops DNS packets in the following scenario:
1. Drop Optimization is enabled in Security Gateway / Cluster object (per sk90861)
2. DNS fast expiry feature is enabled (value of "delete_on_reply" attribute in the "domain-udp" service is set to "true")
SecureXL SIM debug ('sim dbg -m mgr + add' and 'sim dbg -m err + err') shows the following failures:
- ;[SIM-...]cphwd_api_add_connection: Adding partial conn over existing conn: not allowed [<Client_IP,Source_Port,DNS_Server_IP,53,17>];
- ;[SIM-...]cphwd_api_add_connection: Adding partial conn over existing conn: not allowed [<DNS_Server_IP,53,Client_IP,Dest_Port,17>];
- ;[SIM-...]cphwd_api_add_connection: Adding partial conn over existing conn: not allowed (during initialization);

Cause

Firewall fails to offload partial DNS connections to SecureXL (failure in DNS fast expiry feature for Medium Path DNS connections).
As a result, there is a conflict between the fast expiry functionality in the Firewall and the fast expiry functionality in SecureXL, which causes collisions upon offloading of the DNS connections for the DNS Reply packets.

Solution

Note: To view this solution you need to Sign In .