|
When the DNS filter is configured with an external-ip-blocklist and during high DNS traffic load, the IPS Engine remains in D status and the DNS resolution fails:
diagnose sys top 2 50
ipsengine 38256 D < 16.8 0.2 3
ipsengine 38265 D < 14.8 0.3 24
ipsengine 38267 D < 14.8 0.3 17
ipsengine 38282 D < 14.8 0.2 14
ipsengine 38272 R < 14.8 0.2 18
ipsengine 38256 D < 13.8 0.3 33
ipsengine 38274 D < 13.8 0.2 13
ipsengine 38275 D < 12.8 0.3 35
ipsengine 38279 D < 12.8 0.3 25
ipsengine 38271 D < 12.8 0.3 5
ipsengine 38252 D < 12.8 0.2 7
ipsengine 38263 D < 10.8 0.3 34
The highlighted line below shows that the IPS Engine is querying FOS for the External IP Blocklist and ultimately entering the D state:
# fnsysctl cat /proc/38256/stack <----- 38256 is the process ID of ipsengine from the above output.
[<ffffffffa00141ce>] ip_session_tree_walker+0x21e/0x6560 [filter4]
[<ffffffff804dcc61>] sock_def_readable+0x31/0x60
[<ffffffff8027f8ed>] down+0x3d/0x50
[<ffffffffa00a1be3>] ip_ext_ioctl+0x33/0x9a0 [filter4] >>>>>>>>>>>>>>>> IPS Engine
[<ffffffff802507d4>] __wake_up_common+0x54/0x90
[<ffffffff803116cb>] ep_poll_callback+0xcb/0x150
[<ffffffffa00754d5>] oal_ioctl+0x205/0x1020 [filter4]
[<ffffffff804d95c8>] sock_ioctl+0x88/0x1a0
[<ffffffff802e6c85>] do_vfs_ioctl+0x3b5/0x570
[<ffffffff804d7d4b>] sock_alloc_file+0xab/0x140
[<ffffffff802e6ec8>] sys_ioctl+0x88/0xb0
[<ffffffff804d99c0>] sys_socket+0x80/0xc0
[<ffffffff805e8b7b>] system_call_fastpath+0x16/0x1b
[<ffffffffffffffff>] 0xffffffffffffffff
This issue has been resolved in v7.0.16, v7.2.9, v7.4.4, v7.6.0
Workaround:
Remove the external-ip-blocklist from the DNS filter.
|
