Screen OS

I have an issue with DNS responses being dropped by the SSG.

The issue is due to an external DNS server sending multiple requests into our Cisco GSS, the second coming directly after the first, and before the GSS can respond to the first.

As the src/dst ips and src/dst ports are identical for both requests, this is causing both requests to be tied to that same session, so when the GSS responds to the first request, the session is being closed, and the second response to be denied.

Am I correct in saying this is default behaviour for UDP state?

Is there any way I can alter this this behaviour using deep packet inspection for example?

Any ideas?

Cheers

Stu

yes, thats actually because we have something called DNS alg enabled. with the alg enabled, once firewall sees the dns response, the session will be aged out. if you disable the alg, the session will behave like a normal udp session which gets aged out after 1min or will still get refreshed if there is more traffic passing through the session.

note that the purpose of the alg was to give speedier refresh times for dns sessions especially if you have alot of dns sessions.

you can disable the alg either:

i) globally on the cli:

unset alg dns en

ii) via the policy with something like this:

set pol id 3 from trust to untrust any any DNS permit

 set pol id 3 application-ignore