Question : PIX-525 high cpu uage and high DNS connection count

Hello Guys,

I administer a PIX-525 which protects the DMZ servers. One of the servers is a DNS server running BIND 8. During high traffic utilization time the CPU usage of the firewall climbs up to 80% and when I see the connection count, most are towards the DNS server. I googled on this issue and soe guys suggested that I issue the 'fixup protocol dns maximum-length 1024' command. And also I got a suggestion from some forum disbaling 'fixup protocol dns' will help.But I am not sure if that is a good idea. On the syslog there is nothing unusual log about DNS but if I remove the access-list for DNS access, the cpu usge drops down to 3-5%. What is causing the high cpu utilization when the DNS is up?

Answer : PIX-525 high cpu uage and high DNS connection count

Check routes to and from the DMZ
Try to be as specific as possible on your routes, try no to use default (0.0.0.0 0.0.0.0) routes
is ip cef enabled? This might be a worthwhile tweak.

Random Solutions

PCs on the LAN slow down intermittently

Linksys router resets every hour.....

Install LDAP openfire (UserNotFoundException)

HELP - Novell & .Net & MS SQL Server?

Unable to reach Tomcat management interface via browser

Deleted global address user still shows up in global address list

Disconnect connections from a particular IP

sysprep and Ghost

Changing Network IP Address Range & Enabling DHCP

Checkpoint compatible firewall appliance