Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Troubleshooting DNS Name Resolution in Logical System Security Policies (Primary Administrators Only)

 

Problem

Description: The address of a hostname in an address book entry that is used in a security policy might fail to resolve correctly.

Cause

Normally, address book entries that contain dynamic hostnames refresh automatically for SRX Series devices. The TTL field associated with a DNS entry indicates the time after which the entry should be refreshed in the policy cache. Once the TTL value expires, the SRX Series device automatically refreshes the DNS entry for an address book entry.

However, if the SRX Series device is unable to obtain a response from the DNS server (for example, the DNS request or response packet is lost in the network or the DNS server cannot send a response), the address of a hostname in an address book entry might fail to resolve correctly. This can cause traffic to drop as no security policy or session match is found.

Solution

The primary administrator can use the show security dns-cache command to display DNS cache information on the SRX Series device. If the DNS cache information needs to be refreshed, the primary administrator can use the clear security dns-cache command.

Note

These commands are only available to the primary administrator on devices that are configured for logical systems. This command is not available in user logical systems or on devices that are not configured for logical systems.