Some Umbrella customers using Roaming Clients and/or Virtual Appliances have noticed issues with port exhaustion in firewalls that use Port Address Translation. This is most likely in environments that have a large number of Roaming Clients and/or a high volume of traffic running through the VAs. Symptoms can include DNS queries returning slowly or timing out.
Neither Roaming Clients nor Virtual Appliances will cache answers to DNS queries. Furthermore, Roaming Clients send frequent "probe" DNS requests to analyze the networking environment and as health checks.
- Ensure that your Internal Domains are properly configured. They should contain your Active Directory zone (and/or other internal zones) in order to reduce the volume of high frequency queries.
- Review some of the PAT settings on the firewall:
- A long UDP session timeout can be an issue. We typically recommend UDP session timeouts of ~15 seconds. However, please note that if UDP is used heavily by other other applications on your network, they may have longer timeouts which you should take into account.
- Depending on your firewall, it may be possible to increase the size of its PAT pool in order to increase the number of simultaneous connections.
- If you have IP addresses which you can dedicate to the VAs, use Direct NAT instead of PAT on the firewall.
If the above doesn't help, then a possible workaround would be as follows:
- Use the Umbrella dashboard --> Reporting --> Top Domains report to identify one or more domains that have a large number of requests within the last 24 hours.
- In the Umbrella dashboard --> Settings --> Internal Domains, add one or more of the high-volume domain to the list, setting "Applies to" to "All Appliances and Devices".
- After that, queries for those domains will be forwarded by the VAs to the local DNS. Ideally the local DNS should be configured to forward to the Umbrella DNS at 18.104.22.168/22.214.171.124, but they could be configured to forward to any external DNS.
- The local DNS will handle queries for any domains they are authoritative for.
- Presuming the local DNS does accept queries for non-local domains, queries for those other domains will be forwarded to the external DNS.
The point of the above is that the local DNS can cache DNS results, while the Roaming Clients and Virtual Appliances will never cache. Please note that using this workaround will result in more traffic to and a heavier load on the internal DNS, so monitor them carefully to ensure they are not overloaded.