Support Center > Search Results > SecureKnowledge Details
SecureXL drops DNS packets when "Drop Optimization" and "DNS fast expiry feature" are enabled
Symptoms
  • SecureXL drops DNS packets in the following scenario:

    1. Drop Optimization is enabled in Security Gateway / Cluster object (per sk90861)

    2. DNS fast expiry feature is enabled (value of "delete_on_reply" attribute in the "domain-udp" service is set to "true")
  • SecureXL SIM debug ('sim dbg -m mgr + add' and 'sim dbg -m err + err') shows the following failures:

    • ;[SIM-...]cphwd_api_add_connection: Adding partial conn over existing conn: not allowed [<Client_IP,Source_Port,DNS_Server_IP,53,17>];

    • ;[SIM-...]cphwd_api_add_connection: Adding partial conn over existing conn: not allowed [<DNS_Server_IP,53,Client_IP,Dest_Port,17>];

    • ;[SIM-...]cphwd_api_add_connection: Adding partial conn over existing conn: not allowed (during initialization);
Cause

Firewall fails to offload partial DNS connections to SecureXL (failure in DNS fast expiry feature for Medium Path DNS connections).
As a result, there is a conflict between the fast expiry functionality in the Firewall and the fast expiry functionality in SecureXL, which causes collisions upon offloading of the DNS connections for the DNS Reply packets.


Solution
Note: To view this solution you need to Sign In .