I had it set as: policy-map global_policy class inspection_default inspect dns maximum-length 4096
Which is what Cisco recommends. EDNS tests worked fine, but the BIND servers would still get backed up. On Wed, Mar 26, 2014 at 7:35 AM, Thom, Paul E <paul.t...@ssc-spc.gc.ca>wrote: > Do you have the FWSM DNS inspection configured to support EDNS. Not > sure if I have seen ASA / PIX code causing that problem when EDNS support > was not configured on the firewalls but it's something to look at. > > > > > > *From:* bind-users-bounces+paul.thom=dfo-mpo.gc...@lists.isc.org [mailto: > bind-users-bounces+paul.thom=dfo-mpo.gc...@lists.isc.org] *On Behalf Of *Jason > Brandt > *Sent:* March-26-14 9:09 AM > *To:* Sam Wilson > *Cc:* comp-protocols-dns-b...@isc.org > *Subject:* Re: High recursive client counts > > > > The code on our FWSMs isn't the latest release, so that could be part of > the issue, but it's been about 16 hours now since I shut it off, and so far > so good. I would say though with the other load on our firewalls, it's > highly possible that they were being overloaded. Unfortunately our MRTG > isn't setup to track firewall CPU, so I can't say for sure. > > > > Thanks, > > Jason > > -- > > Jason K. Brandt > > Systems Administrator > > > -- Jason K. Brandt Systems Administrator
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users