NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Easy Fix for Intermittent Connections, Slowdowns, Timeouts - DNS related, SRX5308
I'm documenting this here, because I didn't see anything about it in my forum searches, and I believe that it's likely to be a common problem with an easy fix.
I had just installed a new Netgear SRX5308 VPN/Firewall in our network (5 VLANs, about 70 users and around 200 devices total). Everything seemed to be working fine, but — randomly and intermittently — new connections would be slow or time out. So users would experience web pages loading slowly, or failing to load at all, but then working again on a second try, etc.
Netgear support couldn't help much with it, so I did more of my own diagnosis, and eventually found that it was related to DNS lookups slowing down or failing intermittently when going through the firewall; if I was outside the firewall, everything was fine.
I then found the solution myself: to uncheck the "Block UDP flood" on the "Attack Checks" configuration of the firewall settings. Since I deactivated it, everything has been working fine.
I then went back and looked in Netgear's documentation — apparently, the "Block UDP flood" option, which is enabled by default, triggers when it has 20 or more simultaneous UDP connections from a single LAN-side client. And of course, DNS works over UDP port 53, so we were seeing intermittency whenever we got to >20 DNS requests at the same time from a client. (And, in fact, the current manual acknowledges this in a note on p. 136 — which is in the firewall rules section and unfortunately not referenced in the Attack Checks section).
The reason I think this is likely a common problem: 20 simultaneous connections is WAY TOO LOW for modern browsers and network usage; an single average webpage can load material from its own server, 2-4 social networks, various sources for Javascript libraries, fonts, CSS, etc., and CDN servers for images — all of which require DNS lookups. You could easily get to 20 on a single page, even without accounting for stuff the computer is doing in the background that might involve DNS lookups or other uses of UDP.
There are, I think, a few options for how Netgear should fix this:
(a) set a separate policy for dealing with a flood of DNS UDP traffic on port 53 with a better (or configurable!) connections limit
(b) make the number of simultaneous UDP connections configurable overall
(c) MINIMALLY, make sure that when "Block UDP flood" is triggered, there's a clear log message about set up under default logging conditions — the place this got really painful was that I couldn't determine from the firewall's logs why the firewall had dropped my traffic; had I seen something about "Block UDP flood" in the logs, I would have been able to fix it myself without having to call.
But anyway: at least on the SRX5308, there's a simple setting, on by default, that causes DNS requests to be dropped under conditions that are fairly normal in modern networks. If you're having connection timeouts — especially if you can track them to failed or slow DNS lookups — try turning of "Block UDP flood" in the "Attack Checks" section of firewall policy.
I had just installed a new Netgear SRX5308 VPN/Firewall in our network (5 VLANs, about 70 users and around 200 devices total). Everything seemed to be working fine, but — randomly and intermittently — new connections would be slow or time out. So users would experience web pages loading slowly, or failing to load at all, but then working again on a second try, etc.
Netgear support couldn't help much with it, so I did more of my own diagnosis, and eventually found that it was related to DNS lookups slowing down or failing intermittently when going through the firewall; if I was outside the firewall, everything was fine.
I then found the solution myself: to uncheck the "Block UDP flood" on the "Attack Checks" configuration of the firewall settings. Since I deactivated it, everything has been working fine.
I then went back and looked in Netgear's documentation — apparently, the "Block UDP flood" option, which is enabled by default, triggers when it has 20 or more simultaneous UDP connections from a single LAN-side client. And of course, DNS works over UDP port 53, so we were seeing intermittency whenever we got to >20 DNS requests at the same time from a client. (And, in fact, the current manual acknowledges this in a note on p. 136 — which is in the firewall rules section and unfortunately not referenced in the Attack Checks section).
The reason I think this is likely a common problem: 20 simultaneous connections is WAY TOO LOW for modern browsers and network usage; an single average webpage can load material from its own server, 2-4 social networks, various sources for Javascript libraries, fonts, CSS, etc., and CDN servers for images — all of which require DNS lookups. You could easily get to 20 on a single page, even without accounting for stuff the computer is doing in the background that might involve DNS lookups or other uses of UDP.
There are, I think, a few options for how Netgear should fix this:
(a) set a separate policy for dealing with a flood of DNS UDP traffic on port 53 with a better (or configurable!) connections limit
(b) make the number of simultaneous UDP connections configurable overall
(c) MINIMALLY, make sure that when "Block UDP flood" is triggered, there's a clear log message about set up under default logging conditions — the place this got really painful was that I couldn't determine from the firewall's logs why the firewall had dropped my traffic; had I seen something about "Block UDP flood" in the logs, I would have been able to fix it myself without having to call.
But anyway: at least on the SRX5308, there's a simple setting, on by default, that causes DNS requests to be dropped under conditions that are fairly normal in modern networks. If you're having connection timeouts — especially if you can track them to failed or slow DNS lookups — try turning of "Block UDP flood" in the "Attack Checks" section of firewall policy.
21 Replies
- Thanks for bringing up this issue. We have verified this issue internally and will address this in upcoming firmware. In the mean time I'm glad to see that there is a relatively simple workaround, but regardless this will be addressed.
- Excellent advice here, unchecking "Block UDP flood" on a FVS318N completely and totally cleared up numerous issues as described ... Intermittent Connections, Slowdowns, Timeouts.
I did some testing to set a rule to allow all outbound "DNS:UDP" from all lan users, that had no apparent effect with Block UDP flood enabled. That makes you wonder what UDP packets are triggering the flood detection threshold. Was seeing this with one VoIP ATA and one Win 7 client on the lan. - I see the new firmware has implemented a suggestion from the first post, (b) make the number of simultaneous UDP connections configurable overall. At leats that's what I think the box next to the check box, with a default value of 25 seems to be.
- Hi,
Have you tried the new 4.3.0-19 FW for SRX5308?
http://kb.netgear.com/app/answers/detail/a_id/23142
Results? - I'm really glad I saw this post. I was having very intermittent issues with the same thing, but also would have my fvs114 lock up completely every few days. After reviewing not only this setting, but my log settings in general, I think I'll have better luck now. :)
- Well, so much for that--it locked up again today. :(
- Interestingly enough, I found this post AFTER I remedied the issue on my own - hours of work.
Now that they've made the number configurable, would someone please post the number of requests that would be adequate on a modern network. The default - 25 is not.
A request to Netgear - your search engine did not turn up this post when I searched for slow performance, Internet issues etc. Perhaps you could fix this? - The other thing that seemed to help me was setting the DNS servers to be the same across all of the WAN ports, I use the Google DNS servers 8.8.8.8 and 8.8.4.4, but others like the OpenDNS servers.
This particularly helped me as I have a DNS server on the LAN side of the router using the DNS proxy facility of the SRX5308. - Just fixed a brand new FVS336G-300NAS with unchecking the UDP flood test.
Thank you!
:D - This sovled our slowed DNS perfromance on our FVS336G with Firmware 4.3.2.7 thanks for the information.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
