08-28-2017 11:31 AM
HI,
From some pc session end reason for dns traffic shows 'aged out'
and for some shows 'unknown'
what could be the reason
internet traffic from the pc which shows aged out are really slow
any help
Thanks
08-28-2017 12:24 PM - edited 08-28-2017 12:24 PM
DNS uses UDP, so session end reason will be "aged-out", which is correct.
Do you have any other users, which are hitting the same policy and experiencing the same issue? 'unknown' in the application tab could be due to several reasons: not enough info for the app-id engine to identify the application (3-way handshake is not completed, routing issue etc).
08-28-2017 06:45 PM
Hi,
From other pc's dns traffic shows unknown.This is what I confused
Thanks
08-28-2017 07:05 PM
According to the admin guide:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/syslog-field-descriptions
unknown—This value applies in the following situations:
-Session terminations that the preceding reasons do not cover (for example, a clear session allcommand).
-For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknownafter an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall.
-In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown .
08-28-2017 07:12 PM
Hi,
Thanks for the reply .
My concern is why for some dns traffic ,it is unknown ' and for some it is aged out
Thanks
08-29-2017 12:34 AM - edited 08-29-2017 12:44 AM
Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified. This may be due to the use of a custom application for which the firewall does not have signatures.
Seesion end reason is (n/a or unknown): PAN-OS provides a session end reason field for traffic logs. This field only applies to logs of subtype end. For all other subtypes, the value is not applicable (N/A)(example: logs of subtype: start it will show n/a)
I guess you have enabled both Log at Session Start, Log at Session end on the associated security rule thats why it's showing both unknwon and and aged out on the session end reason, DNS uses UDP protocols so its obivisouly aged-out always.
i dont think this caused internt slowness on the PC.
08-29-2017 07:42 AM - edited 08-29-2017 07:52 AM
Can you please post DNS request traffic logs from the affected PC:
Make sure to select Bytes Sent/Received columns
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
