topic UDP issues after network outage in General Topics

UDP issues after network outage

Trond.Olsen — Mon, 21 Oct 2019 11:17:32 GMT

We're experiencing multiple issues with udp-based applications after network outages. A common problem is that udp tracking sessions (I assume from ALG) in PA for DHCP create issues and clients are unable to attain IP-address. This error must be manually solved by clearing sessions. We've also seen this error for other udp applications.

Question is: Are the configuration steps we can take to alleviate our problems with udp tracking sessions getting invalid in PA?

Re: UDP issues after network outage

S.Cantwell — Wed, 30 Oct 2019 21:31:08 GMT

Hello there

I am not aware of an ALG for DHCP. UDP has a global time out of 30 secs, by default.

Here is a screen capture of what DHCP looks like on my FW.

Note the start time and receive time (receive time is when the log was received to the traffic log, which logs at session end)

Session ID

38741

Action

allow

Action Source

from-policy

Application

dhcp

Rule

Internal

Rule UUID

6270e459-1170-4495-a10d-2822cd36b2f5

Session End Reason

aged-out

Re: UDP issues after network outage

Trond.Olsen — Thu, 31 Oct 2019 09:16:46 GMT

In logs and sessions browser the dhcp sessions between ip gateways (remote locations) and dhcp servers are often long running, up to 1-2 weeks. So I'm pretty sure the dhcp application is dependent on more than the udp timeout. It seems unlikely that we should receive continuous dhcp relay traffic from the gateways.

Our config for dhcp application seems standard also:

Also checked ou firewall timeouts which seems to be default:

Session timeout TCP default timeout: 3600 secs TCP session timeout before SYN-ACK received: 5 secs TCP session timeout before 3-way handshaking: 10 secs TCP half-closed session timeout: 120 secs TCP session timeout in TIME_WAIT: 15 secs TCP session delayed ack timeout: 250 millisecs TCP session timeout for unverified RST: 30 secs UDP default timeout: 30 secs ICMP default timeout: 6 secs SCTP default timeout: 3600 secs SCTP timeout before INIT-ACK received: 5 secs SCTP timeout before COOKIE received: 60 secs SCTP timeout before SHUTDOWN received: 30 secs other IP default timeout: 30 secs Captive Portal session timeout: 30 secs Session timeout in discard state: TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60 secs

Re: UDP issues after network outage

S.Cantwell — Thu, 31 Oct 2019 16:13:44 GMT

Trond,

Can you show a screen capture showing a DHCP session that has been in your Session Browser for more than 2 minutes?

You may need to do a "show session ID xxxxx" from the CLI

I am not able to confirm your issue. DHCP is just and only 4 UDP packet exchange.

When I go into my Session Browser and look for DHCP, I get none, meaning, I have zero sessions that are in the session table.

But even when I look at a UDP session (DNS in my example), this is what I see

start time : Thu Oct 31 12:10:36 2019
timeout : 30 sec

So we are missing some details... 😕

Please advise.

Re: UDP issues after network outage

Trond.Olsen — Fri, 01 Nov 2019 07:32:13 GMT

Here's an example of traffic currently in session today. These are all from gateways doing DHCP relay (IP information has been removed).