06-14-2012 09:39 AM
Any news from JTAC?
Still attempting to proove there is a problem...
Do you use NSM to deploy policies? At least according to NSM, there are no policy differnces between the ScreenOS 5.4 and 6.3 devices.
06-15-2012 06:11 AM
I noticed that the DNS queries in your snoop are coming from the IPs 172.22.227.36 and .34, but they don't appear to come from the firewall itself (.31), so these packets may be coming from your LAN hosts.
What happens if you try to set the source interface in the DNS config to vlan1?
06-15-2012 09:36 AM
Changing the DNS src-interface to vlan1 doesn't help.
Actually, rebooting the firewall temporarily fixes the problem. A co-worker rebooted it almost 2 days ago and the problem vanished. No policy changes have been made. Now I wait again for the problem to surface...
06-17-2012 11:55 PM
I am facing a similiar isssue. From time to time no dns resolution is possible "Connection refused by the DNS server". But I f I change only one dns servers ip address (out of three) and apply the changes, it is working again.
I am running 6.3R10
08-15-2012 10:32 AM - edited 08-15-2012 10:33 AM
Finally, Juniper issued a patch (ssg5ssg22.214.171.124r11-cpb1.0) for this issue which I'm evaluating now. At this point looks like it can make it into 6.3.0r13.
Root Cause per TSE:
if arp task failed to update session outgoing interface when receive arp responce, box will keep dropping packets match this session. Solution: in this scenario, we need invalid this session and let create a new session again.
02-20-2013 09:24 AM
So did 6.3.0r13 solve the issue ?
Yes, it has.
I noticed the JunOS defect # wasnt listed in the r13 release notes. Called JTAC back and had them validate it truly was included, but missed the release notes.