01-20-2025 04:59 AM
Model: Palo Alto PA-3420
Software version: 11.2.4-h1
Most of our dns-base traffic has the "session end reason" resources-unavailable suddenly. We're also having trouble loading webpages. The resources-unavailable reason is only on DNS-base traffic and it is for DNS traffic to our 2 internal DNS servers, but also from our DNS-server to the forwarders or directly to external DNS server (for example 8.8.4.4, 8.8.8.8).
I checked the commands "show counter global name aho_alloc_lookup_failed":
Name: aho_alloc_lookup_failed
Value: 0
Severity: Warning
Category: aho
Aspect: resource
Description: failed to alloc regex lookupAnd "debug dataplane pool statistics | match "Regex Results"":
[18] Regex Results ( 16352): 2048/2048 52/2048 1/1 0xd301603b00-0xd3035f3b00 52But that seems ok. Any suggestions what can be wrong, or where I can look?
01-22-2025 01:56 PM
Hello,
Check the unified logs to see where/if the traffic is getting blocked. Its UDP so might have to check the session browser, if the session is still open it wont show in the logs (reason 'log at session end' on the security policy).
Regards,
Regards,
01-23-2025 01:54 AM
The traffic is allowed:
It seems like some sort of memory leak affecting only the DNS traffic. We had to restart the firewall because normal internet was impossible with all the failed DNS requests. After the reboot we haven't seen any "session end reason: resource-unavailable" anymore. The uptime before the reboot was 61 days, so not that long.
02-18-2025 07:47 PM
Any info on the cause? We've had this occur twice now, 14 days apart. A reboot was the only solution. I haven't opened a case yet, but that's my next step.
02-18-2025 07:50 PM
Hi @adminglu ,
Recommendation is to open a support case and work with tac team to identify the issue.
02-18-2025 11:37 PM
After 21 days uptime the issue came back. This friday I have to install an update on the firewall so the problem will be gone for a while. If it comes back again I'm going to create a support ticket with Palo Alto.
05-06-2025 11:45 PM
Thanks for reporting back, we just had the issue again yesterday after 72 days uptime.
You mean under Device->Setup->Session->Session Settings->Enable Jumbo Frame?
10-30-2025 06:08 PM - edited 10-30-2025 06:09 PM
I've been having this exact problem. Causing me horrific chaos on my PA-440!! Only restarting the firewall fixes the issue, and it happens every 2-3 months. I just saw this thread, so have turned on Jumbo Frame enablement per the recommendation above, we'll see if that helps. Did that fix it for you guys?
If anyone has any other suggestions, please let me know!
01-07-2026 07:31 AM
Hi
I would like to ask if this behavior is also related to PA-1410 version 11.2.5. I found out the following bug , however, I need to confirm it .
2025/12/29 17:35:41 Crash /var/log/pan/md_apps.log 2025-12-29 17:35:41.443 -0600 Process monitor exited with signal of 15; core dumped: no
2025/12/29 17:35:41 Crash /var/log/pan/md_apps.log 2025-12-29 17:35:41.444 -0600 Process plugin_api_server exited with signal of 15; core dumped: no
2025/12/29 17:35:41 Crash /var/log/pan/md_apps.log 2025-12-29 17:35:41.446 -0600 Process csad exited with signal of 9; core dumped: no
2025/12/29 17:35:41 Crash /var/log/pan/md_apps.log 2025-12-29 17:35:41.446 -0600 Process devsrvr exited with signal of 9; core dumped: no
2025/12/29 17:35:41 Crash /var/log/pan/md_apps.log 2025-12-29 17:35:41.446 -0600 Process distributord exited with signal of 9; core dumped: no
2025/12/29 17:35:41 Crash /var/log/pan/md_apps.log 2025-12-29 17:35:41.446 -0600 Process iotd exited with signal of 9; core dumped: no
2025/12/29 17:35:41 Crash /var/log/pan/md_apps.log 2025-12-29 17:35:41.447 -0600 Process mgmtsrvr exited with signal of 9; core dumped: no
01-08-2026 07:13 AM
Hi @F.Pinar ,
PAN-296752 is indeed flagged for PAN-OS version 11.2.5, so the timing and the hardware match up. However, even with the logs you provided, I can't confirm this is the exact bug from here.
Processes exiting with signal 9 or 15 are essentially the system's way of panic-closing apps because the Management Plane is overwhelmed.
While PAN-296752 is a likely candidate, these same crashes can be triggered by other underlying issues.
To be sure before you start changing code I'd generate a TSF and submit it to TAC for review. Point them directly to your logs and PAN-296752.
TAC has the tools to look to see if monitor-dp was specifically the process that choked the CPU. They can confirm if moving to 11.2.10 is your fix or if there’s something else going on with your specific config.
It’s better to have TAC verify the root cause now than to perform an upgrade and have the same crash happen again hours later.
Kind regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
