Large delays for ICMP traffic when Reverse DNS is used with the DNS server listed as an IPS exclusion

book

Article ID: 156209

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

With Symantec Endpoint Protection (SEP), in a configuration meeting all of the below requirements large delays may be observed for ICMP traffic, or ping requests may appear to be blocked when they should be allowed according to the firewall rules.

  • The Reverse DNS option is enabled (under "Protection and Stealth" in the firewall policy).
  • One or more firewall rules are configured using a DNS name rather than IP/MAC address as host.
  • The address of the DNS server used on the network is listed in an Excluded Host in the Intrusion Prevention policy.

Ping requests may time out, or (if the -w 20000 parameter is used to increase the ping command timeout) succeed after roughly 13000 milliseconds.

 

Resolution

Removing the DNS server IP address from the IPS Exclusions resolves the problem.