I noticed that the DNS queries in your snoop are coming from the IPs 172.22.227.36 and .34, but they don't appear to come from the firewall itself (.31), so these packets may be coming from your LAN hosts.
What happens if you try to set the source interface in the DNS config to vlan1?
Changing the DNS src-interface to vlan1 doesn't help.
Actually, rebooting the firewall temporarily fixes the problem. A co-worker rebooted it almost 2 days ago and the problem vanished. No policy changes have been made. Now I wait again for the problem to surface...
I am facing a similiar isssue. From time to time no dns resolution is possible "Connection refused by the DNS server". But I f I change only one dns servers ip address (out of three) and apply the changes, it is working again.
Finally, Juniper issued a patch (ssg5ssg20.6.3.0r11-cpb1.0) for this issue which I'm evaluating now. At this point looks like it can make it into 6.3.0r13.
Root Cause per TSE:
if arp task failed to update session outgoing interface when receive arp responce, box will keep dropping packets match this session. Solution: in this scenario, we need invalid this session and let create a new session again.
I noticed the JunOS defect # wasnt listed in the r13 release notes. Called JTAC back and had them validate it truly was included, but missed the release notes.
Please evaluate this patch and let the Forum know how it worked.
