@Ahriakin wrote:
I think a key point that has been made already is you need to understand what the ALGs are actually doing per-protocol/application before playing with them. For example why would DNS inspection prevent a reverse-lookup? It shouldn't at all since essentially it's there for message-length checking/enforcement, DNS doctoring and only allowing the first DNS reply through. A reverse lookup is just a normal DNS request to the FW so check the basics, are the packets allowed by policy? What do the logs tell you on the DNS server (are the requests even getting there)? Is there something different about how the OS on the SSH servers creates the DNS requests (size etc.)? Once you're 100% sure it's not something simpler then try the message size adjustments already suggested, but again before completely disabling a core ALG like this I would create a custom application set to ignore ALG and permit it for select problemetic connections. That way you don't potentially break anything else while you test.
See, that's the thing. Of course we already checked all the basics like logs, tcpdump and what not, but we could not find anything.
The SSH servers are setup very strange. They are Unix, and the people who set them up did not create a /etc/hosts file. The applications on the server constantly try to figure out their own hostname, so instead of having it resolved locally, they pump those requests out the net. And they are millions. No kidding. So the SRX gets bombarded with all these DNS requests. While it doesn't seem to care at all (does not seem to have any impact on the machine's performance at all) we see those strange effects.
One could argue: Get your servers straight. And we tried. But they are the customer, they don't want to change the server, and they think that since we deployed a new firewall, it must be our problem.
Anyways. I will try with the max message lenght setting (thanks) and if that doesn't help, I'll try to completely disable it.
One more question: If and when the ALG does something (like only letting the first DNS reply pass through) - will we see anything about it in the logs? What should I look for?
Again thanks, and sorry for kind of hijacking the thread.