If the ProxySG is bypassing DNS traffic, and it receives a DNS inquiry from a client unexpectedly, ProxySG sends "ICMP destination (port) unreachable" back to the client, so as to provide better network performance.

On the other hand, if the ProxySG is acting as a DNS client to a DNS server and queries a DNS server for IP address resolution, and the server sends a response such as "server failure," 10 seconds or so after the client's request, the ProxySG would then respond with the "ICMP destination (port) unreachable" packet to the server because the indicated process port is no longer active and could not receive the packet.

Both of these cases occur frequently and are expected behavior on the ProxySG.