Forum Discussion
Jessed12345
Dec 28, 2009Employee
You may have already checked your timeouts, but if not you may want to consider the connection timeout in the profile assigned to that virtual. The default timeout for TCP is 300 seconds, for UDP it's 60 seconds, both of which are an eternity for DNS. In the past I've used timeouts of 5-10 seconds for DNS traffic.
You touched on switching the virtual to perfL4 rather than Standard. If you do not need the advanced functionality that a "Standard" virtual offers, I would definitely make the switch. Should you go this route keep in mind that the change to the timeout will need to be made in a new fastL4 profile rather than the TCP profile. (I recommend against changing the default profiles; creating a custom profile for every vip that needs some customization is the way to go.) Another benefit of using the fastL4 profile is the "Loose Initiation" option, which allows "new" connections to be created even if the received packet is not a SYN.
I cannot recall if the port exhaustion message would be explicit about whether the connections causing the exhaustion. Assuming it would, and that this traffic is using the ip forwarding virtual, I would check the timeouts in the profile being used by that virtual. (from your config snippet it looks like the default fastl4 profile.) By default the fastL4 profile uses a 300 second timeout, which I believe is applied to UDP and TCP.
--jesse