I had it set as:
policy-map global_policy
 class inspection_default
    inspect dns maximum-length 4096

Which is what Cisco recommends.  EDNS tests worked fine, but the BIND
servers would still get backed up.


On Wed, Mar 26, 2014 at 7:35 AM, Thom, Paul E <paul.t...@ssc-spc.gc.ca>wrote:

>  Do you have the FWSM DNS inspection configured to support EDNS.  Not
> sure if I have seen ASA / PIX code causing that problem when EDNS support
> was not configured on the firewalls but it's something to look at.
>
>
>
>
>
> *From:* bind-users-bounces+paul.thom=dfo-mpo.gc...@lists.isc.org [mailto:
> bind-users-bounces+paul.thom=dfo-mpo.gc...@lists.isc.org] *On Behalf Of *Jason
> Brandt
> *Sent:* March-26-14 9:09 AM
> *To:* Sam Wilson
> *Cc:* comp-protocols-dns-b...@isc.org
> *Subject:* Re: High recursive client counts
>
>
>
> The code on our FWSMs isn't the latest release, so that could be part of
> the issue, but it's been about 16 hours now since I shut it off, and so far
> so good.  I would say though with the other load on our firewalls, it's
> highly possible that they were being overloaded.  Unfortunately our MRTG
> isn't setup to track firewall CPU, so I can't say for sure.
>
>
>
> Thanks,
>
> Jason
>
> --
>
>   Jason K. Brandt
>
> Systems Administrator
>
>
>



-- 
Jason K. Brandt
Systems Administrator
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to