We are currently having an issue where UDP Connections are not timing out specifically around our DNS calls.
We have our connection limit set to 5000 and our Internal DNS Server continues to hit this on an almost hourly basis.
When I run a "sh conn count", I can see in excess of 5,000 UDP connections from the DNS Server to servers on the web.
The CONNS-POLICY looks as follows:
set connection per-client-max 5000 per-client-embryonic-max 2000
set connection timeout idle 2:00:00 dcd
Timeout information is as follows:
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
I am not sure how to best approach allow the DNS traffic outbound or how others have managed such an issue.
Your input would be appreciated.