https://live.paloaltonetworks.com/t5/general-topics/dhcp-discard-session/m-p/132427#M47074 <P>sounds like your session discard state is being refreshed (by receiving dhcp packets too frequently) causing the same session to remain in discard state</P> <P>&nbsp;</P> <P>you can change the discard state timeout:</P> <P>&nbsp;</P> <PRE>&gt; show session info ... -------------------------------------------------------------------------------- Session timeout TCP default timeout: 3600 secs TCP session timeout before SYN-ACK received: 5 secs TCP session timeout before 3-way handshaking: 10 secs TCP half-closed session timeout: 120 secs TCP session timeout in TIME_WAIT: 15 secs TCP session timeout for unverified RST: 30 secs UDP default timeout: 30 secs ICMP default timeout: 6 secs other IP default timeout: 30 secs Captive Portal session timeout: 30 secs <STRONG>Session timeout in discard state: TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs</STRONG></PRE> <P>you can use this operational command to change the timeout to figure out what is the ideal timeout</P> <PRE>admin@myNGFW&gt; set session timeout-discard-udp &lt;value&gt; &lt;1-15999999&gt; set timeout of udp session in discard state </PRE> <P>i would recommend gradually decreasing from the default 60 seconds and not immediately going to the 1 second minumum as there is a good reason the discard state is 60 seconds <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> <P>&nbsp;</P> <P>you can change this timer through configuration once you find the sweet spot</P> <PRE>admin@myNGFW&gt; configure Entering configuration mode [edit] admin@myNGFW# set deviceconfig setting session timeout-discard-udp &lt;value&gt; &lt;1-15999999&gt; set timeout of udp session in discard state </PRE> <P>&nbsp;</P> Mon, 12 Dec 2016 08:38:13 GMT reaper 2016-12-12T08:38:13Z https://live.paloaltonetworks.com/t5/general-topics/dhcp-discard-session/m-p/132226#M47037 <P>Scenario is we have ISP connected to Outside zone.</P><P>DHCP server on Inside Zone.</P><P>On Each satellite we have DHCP relay configured to readh DHCP server.</P><P>Whenever there is any issue with Power at location where interface connected to inside zone goes down.</P><P>Traffic gets routed to Outside zone and inturn gets discarded session as we dont have security policy to allow that traffic.</P><P>We have to manually clear that particular session for DHCP to work.</P><P>Any suggestions on this issue.</P><P>&nbsp;</P><P>Thanks In Advance.</P> Fri, 09 Dec 2016 10:03:32 GMT https://live.paloaltonetworks.com/t5/general-topics/dhcp-discard-session/m-p/132226#M47037 fatboy1607 2016-12-09T10:03:32Z https://live.paloaltonetworks.com/t5/general-topics/dhcp-discard-session/m-p/132427#M47074 <P>sounds like your session discard state is being refreshed (by receiving dhcp packets too frequently) causing the same session to remain in discard state</P> <P>&nbsp;</P> <P>you can change the discard state timeout:</P> <P>&nbsp;</P> <PRE>&gt; show session info ... -------------------------------------------------------------------------------- Session timeout TCP default timeout: 3600 secs TCP session timeout before SYN-ACK received: 5 secs TCP session timeout before 3-way handshaking: 10 secs TCP half-closed session timeout: 120 secs TCP session timeout in TIME_WAIT: 15 secs TCP session timeout for unverified RST: 30 secs UDP default timeout: 30 secs ICMP default timeout: 6 secs other IP default timeout: 30 secs Captive Portal session timeout: 30 secs <STRONG>Session timeout in discard state: TCP: 90 secs, UDP: 60 secs, other IP protocols: 60 secs</STRONG></PRE> <P>you can use this operational command to change the timeout to figure out what is the ideal timeout</P> <PRE>admin@myNGFW&gt; set session timeout-discard-udp &lt;value&gt; &lt;1-15999999&gt; set timeout of udp session in discard state </PRE> <P>i would recommend gradually decreasing from the default 60 seconds and not immediately going to the 1 second minumum as there is a good reason the discard state is 60 seconds <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> <P>&nbsp;</P> <P>you can change this timer through configuration once you find the sweet spot</P> <PRE>admin@myNGFW&gt; configure Entering configuration mode [edit] admin@myNGFW# set deviceconfig setting session timeout-discard-udp &lt;value&gt; &lt;1-15999999&gt; set timeout of udp session in discard state </PRE> <P>&nbsp;</P> Mon, 12 Dec 2016 08:38:13 GMT https://live.paloaltonetworks.com/t5/general-topics/dhcp-discard-session/m-p/132427#M47074 reaper 2016-12-12T08:38:13Z