Intermittent connection loss when using Domain Objects

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk31757
Technical Level
Product	Quantum Security Gateways
Version	R76 (EOL), R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL)
Platform / Model	All
Date Created	04-May-2006
Last Modified	21-Dec-2020

Symptoms

Intermittent loss of connections going through the Security Gateway when Domain objects are used.
FW Monitor capture on Security Gateway shows only the Pre-Inbound "i" phase - i.e., inbound interface does not process the connections (successful connections show all "iIoO" phases).
Kernel debug on Security Gateway ('fw ctl debug -m fw + drop') shows that DNS Queries sent to DNS Server are dropped:
fw_log_drop: Packet proto=17 GW_IP_Address:Port -> DNS_Server_Address:53 dropped by fw_runfilter Reason: F_INDOM
Intermittent traffic drops seen for all services with #fw ctl zdebug + drop as "dropped by fw_runfilter_ex Reason: F_INDOM" .

Cause

Domain objects are configured in SmartDashboard. When a Domain object appears in the security policy, the FireWall-1 Inspection Module must determine whether the packet's IP address belongs to the Domain by reverse resolving the IP address. The address resolution process conducted with a remote DNS server involves a time delay factor in receiving a response, and/or a failure factor in the attempt of address resolution. Both these factors may disrupt connectivity.

Solution

Note: To view this solution you need to Sign In .