Re: PIX 6.1 xlate issues

["kevin horvath" <kevin.horvath () gmail com>]

this sounds odd.  if it was an xlate issue with it getting overwhelmed
then not just the dns server but other devices would also have
connectivity issues.   You should increase you logging level to
informational and see what the logs say when you encounter this issue.
 I did have a similiar issue years ago (details are kind of hazy now)
but it involved the dns fixup.  Try increasing your fixup to something
like 1024 since there shouldnt be a reason for dns packet to get
larger then this (fixup protocol dns maximum-length 1024) or just
disable dns fixup altogther and see if that resolves your issue. This
was due to the connection table filling up due to exchange making
abnormally large dns queries.

Kevin

On Wed, Aug 20, 2008 at 2:02 AM, B Shivanthan <shivi () batelco com bh> wrote:
> Hello there,
> I am using a PIX 6.1 (I know its quite old and replacement procedures
> already in place) and facing problems with xlates getting
> overwhelmed. I have this firewall serving our corporate network, where I
> have a proxy server, SMTP server, DNS server and about 1500 users
> browsing the web through the proxy, along with other servers which I do
> static NAT on.
>
> Overtime, my SMTP server loses connectivity with the DNS server (residing
> outside the firewall) for name resolution and the only
> remedy to this is to clear the xlate. I've set the xlate timeout to as low
> as 30 mins, but the problem still persist.
>
> Does anyone know of any resolution to this problem ?
>
> Many thanks
>
> Regards
> Shiv
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards