Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] DNS query problem through firewall

To: "'CryptoTech'" <[email protected]>, "Kumar, Preet (Exchange)" <[email protected]>
Subject: RE: [FW1] DNS query problem through firewall
From: "Kumar, Preet (Exchange)" <[email protected]>
Date: Tue, 7 Nov 2000 07:34:53 -0500
Cc: "'[email protected]'" <[email protected]>
Sender: [email protected]


I had 40 as the default but when I did a snoop on the interface to find the
query
and reply time I saw that it was taking around 60-90 secs (they are fixing
the dns prob).

I have increased the allow udp replies  to 70 secs but do not want to
increse it much as 
this will effect the connections table limit. This seem to have given some
relief.

I had another problem after the increase. At around 10,000 connections in
the connections
table, almost all the return packets got dropped and all established
sessions through the
firewall got disconnected. I have around 75 rules which I am trying to bring
down.

Firewall kernal memory was increased to 8Mb.
Connections was increased to 50000
TCP timeout was increased to 18hrs phew (some weird app requires it).

Could these change in parameters be having adverse effect on the overall
performance 
of the firewall. Could this be the reason why the packets started getting
dropped at
around 10000 connections ?

Preet

-----Original Message-----
From: CryptoTech [mailto:[email protected]]
Sent: Monday, November 06, 2000 10:52 PM
To: Kumar, Preet (Exchange)
Cc: '[email protected]'
Subject: Re: [FW1] DNS query problem through firewall


Preet,
You do not need the DNS over TCP property.  Clients use the udp for lookups.
What
do you have on 'allow udp replies' and the udp reply timeout?

CryptoTech


***********************************************************************
Bear Stearns is not responsible for any recommendation, solicitation, 
offer or agreement or any information about any transaction, customer 
account or account activity contained in this communication.
***********************************************************************



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] FW-1 on Windows2000
Next by Date: RE: [FW1] Putkey woes
Previous by thread: Re: [FW1] DNS query problem through firewall
Next by thread: RE: [FW1] DNS query problem through firewall
Index(es):
- Date
- Thread