Firewall Locks up during DNS service restart

[mcarey]

Every Sunday morning, we restart our DNS service. When this happens, our firewall locks up and stops passing traffic. We thought it was a capacity issue, so replaced our 350 with a 560, but it still occurs. We keep increasing the # of connections the firewall will allow, and have it up to 100,000, but still occurs. We get the SLINK TABLE FULL error when this occurs. Its definitely the DNS service because if the device is moved in front of the firewall, problem stops. Any ideas?

Package is R55p

[melipla]

Hi,

Looking over some of the SK's about SLINK and I see there's a difference between "connections" and "symobolic links" [aka SLINK] to connections, ripped from Solution ID: #skI4140:
--
The connections table in VPN-1/FireWall-1 NG includes two types of entries:

1. A real connection entry used to store connection related information.
2. Connection symbolic link used to point to a real entry.
The reason for having two types of connection table entries is to help the FireWall-1 kernel locate a specific entry in the table with a single lookup.
---

To see the number of slink connections you have (taken from #skI4134):
---
Symbolic links are not included (counted) as entries in the Connections table. A size limit of 25,000 for the Connections table means that the table can hold 25000 "real" connections, plus up to 8 symbolic links per connection.

To view the number of symbolic links entries run:
fw tab -s

The SLINK field contains the number of symbolic links for each table
---

Having said that there's some instructions for increasing that number in #skI3300, or there's another solution, #sk21384:
---
Error: "h_slink: table is full"
Solution ID: #sk21384

Product: VPN-1 Pro (VPN-1/FW-1)
Version: NG
Last Modified: 13-May-2005
Symptoms

* connections table SLINKS is at 200000
* FireWall starts dropping new connections
* UDP out of state messages

Cause
For each real connection table entry 8 symbolic links (SLINKS) will be added, the error message will appear when new entries are tried to be added but the SLINK entries for the table are full.
Solution
Procedure:

1. Check all UDP services to see if within the Advanced UDP Service Properties to see if "Accept replies from any port" is selected. The only UDP service by default that this option is selected for is tftp, deselect this option for all other UDP services.

2. From within Global Properties, Stateful Inspection, Stateful UDP section, deselect the option "Accept stateful UDP replies from any port for unknown servies" and reinstall the Security Policy.
Applies To:

* FP3
* OS messages file
* Majority of traffic is DNS
---

The only question I have is, you must be getting a lot of DNS requests. Maybe you should load balance a little bit?

[mcarey]

Thanks for the information. I wondering is their is an OID for this information in the fw tabs -s output:

HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 25587 31530 335360


So if I have my connection limit set to 100,000, that means 800,000 SLINKS, so I must be going over that.

As far as the DNS - yes, it probably is over-taxed, but this only occurs on a DNS restart which prompts a zone reload from a root server. I can only guess that the zone reload is so massive that it locks up the box?


There are 2 UDP ports defined for ALLOW in all the rules in this firewall. the udp-dns was already set to NOT Accept replies from any port. But udp-ntp was set to Accept replies from any port and is the rule right before DNS. I made the changes they suggest and will try it tomorrow.

Thanks