Support Center > Search Results > SecureKnowledge Details
Intermittent connection loss when using Domain Objects Technical Level
Symptoms
  • Intermittent loss of connections going through the Security Gateway when Domain objects are used.

  • FW Monitor capture on Security Gateway shows only the Pre-Inbound "i" phase - i.e., inbound interface does not process the connections (successful connections show all "iIoO" phases).

  • Kernel debug on Security Gateway ('fw ctl debug -m fw + drop') shows that DNS Queries sent to DNS Server are dropped:

    fw_log_drop: Packet proto=17 GW_IP_Address:Port -> DNS_Server_Address:53 dropped by fw_runfilter Reason: F_INDOM
  • Intermittent traffic drops seen for all services with #fw ctl zdebug + drop as "dropped by fw_runfilter_ex Reason: F_INDOM" .
Cause

Domain objects are configured in SmartDashboard. When a Domain object appears in the security policy, the FireWall-1 Inspection Module must determine whether the packet's IP address belongs to the Domain by reverse resolving the IP address. The address resolution process conducted with a remote DNS server involves a time delay factor in receiving a response, and/or a failure factor in the attempt of address resolution. Both these factors may disrupt connectivity.


Solution
Note: To view this solution you need to Sign In .