topic Re: aged out vs unknown in General Topics

aged out vs unknown

simsim — Mon, 28 Aug 2017 18:31:36 GMT

HI,

From some pc session end reason for dns traffic shows 'aged out'
and for some shows 'unknown'
what could be the reason
internet traffic from the pc which shows aged out are really slow
any help

Thanks

Re: aged out vs unknown

TranceforLife — Mon, 28 Aug 2017 19:24:58 GMT

DNS uses UDP, so session end reason will be "aged-out", which is correct.

Do you have any other users, which are hitting the same policy and experiencing the same issue? 'unknown' in the application tab could be due to several reasons: not enough info for the app-id engine to identify the application (3-way handshake is not completed, routing issue etc).

Re: aged out vs unknown

simsim — Tue, 29 Aug 2017 01:45:56 GMT

Hi,

From other pc's dns traffic shows unknown.This is what I confused

Thanks

Re: aged out vs unknown

emr_1 — Tue, 29 Aug 2017 02:05:41 GMT

According to the admin guide:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/syslog-field-descriptions

unknown—This value applies in the following situations:

-Session terminations that the preceding reasons do not cover (for example, a clear session allcommand).

-For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknownafter an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall.

-In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown .

Re: aged out vs unknown

simsim — Tue, 29 Aug 2017 02:12:40 GMT

Hi,

Thanks for the reply .

My concern is why for some dns traffic ,it is unknown ' and for some it is aged out

Thanks

Re: aged out vs unknown

KotreshaMC — Tue, 29 Aug 2017 07:44:54 GMT

Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures.

Seesion end reason is (n/a or unknown): PAN-OS provides a session end reason field for traffic logs. This field only applies to logs of subtype end. For all other subtypes, the value is not applicable (N/A)(example: logs of subtype: start it will show n/a)

I guess you have enabled both Log at Session Start, Log at Session end on the associated security rule thats why it's showing both unknwon and and aged out on the session end reason, DNS uses UDP protocols so its obivisouly aged-out always.

i dont think this caused internt slowness on the PC.

Re: aged out vs unknown

TranceforLife — Tue, 29 Aug 2017 14:52:10 GMT

Can you please post DNS request traffic logs from the affected PC:

Make sure to select Bytes Sent/Received columns