aged out vs unknown

Reply
L3 Networker

aged out vs unknown

HI,

From some pc session end reason for dns traffic shows 'aged out'
and for some shows 'unknown'
what could be the reason
internet traffic from the pc which shows aged out are really slow
any help

Thanks

L6 Presenter

Re: aged out vs unknown

DNS uses UDP, so session end reason will be "aged-out", which is correct.

Do you have any other users, which are hitting the same policy and experiencing the same issue?  'unknown'  in the application tab could be due to several reasons: not enough info for the app-id engine to identify the application (3-way handshake is not completed, routing issue etc).

L3 Networker

Re: aged out vs unknown

Hi,

From other pc's dns traffic shows unknown.This is what I confused 

Thanks

L4 Transporter

Re: aged out vs unknown

According to the admin guide:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/syslog-field-descriptions

 

unknown—This value applies in the following situations:

-Session terminations that the preceding reasons do not cover (for example, a clear session allcommand).

-For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknownafter an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall.

-In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown .

L3 Networker

Re: aged out vs unknown

Hi,

Thanks for the reply .

My concern is why for some dns traffic ,it is unknown ' and for some it is aged out   

Thanks

Highlighted
L3 Networker

Re: aged out vs unknown

Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures.

 

Seesion end reason is (n/a or unknown): PAN-OS provides a session end reason field for traffic logs. This field only applies to logs of subtype end. For all other subtypes, the value is not applicable (N/A)(example: logs of subtype: start it will show n/a)

 

I guess you have enabled both Log at Session Start, Log at Session end on the associated security rule thats why it's showing both unknwon and and aged out on the session end reason, DNS uses UDP protocols so its obivisouly aged-out always.

 

 

i dont think this caused internt slowness on the PC.

Kotresha
ACE
L6 Presenter

Re: aged out vs unknown

Can you please post DNS request traffic logs from the affected PC:

 

aged-out.PNG

 

Make sure to select  Bytes Sent/Received columns

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!