Stale SIP Sessions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Stale SIP Sessions

L2 Linker

Hello all,

 

We seem to have an issue with sip sessions being stuck in the session monitor for weeks and sometimes months.  There have been instances, albeit extremely rare, where it prevented new sessions from being formed on a sip trunk we were testing (it's being moved off of the firewall for production).  Once I cleared the stuck session we were able to make calls again.  The phones themselves are Polycom.  I have ALG turned off on all firewalls and the sip application timeout has been adjusted from 3600 seconds to 20 seconds.  The timeout adjustment seemed to help but I still see stuck sessions every so often.  Anything else that can be checked or adjusted?  I'm not much of a phone system expert so this is a little out of my realm.

 

stalesessions.pngstalesessionssip.png

4 REPLIES 4

L0 Member

Hey All, same issue for us as well.  We have the sip session timeout less than 1 hour, but we still get the same issue.  For me, it seems to occur after a FW failover (we have active/passive).  And the old sessions sits there for the day or longer if its not noticed, and then prevents calling.

Did you ever find a solution to this?

L0 Member

This can be a common behavior with UDP sessions like SIP and IKE stuck in that state if the traffic is matching the same session continuously and gets refreshed because with SIP sessions you will see traffic on 5060 and for IKE 500 as the ports. If you have active calls and IKE traffic traversing through the firewall constantly it would match the same session and gets refreshed they tend to stay in an Active state for longer time. If you don't want that to happen you can work with timeout values. This KB article might help you understand a scenario on why you need to adjust timeout value for SIP session 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clg7CAC

 

There's a possibility that due to any reason this sessions can go into Discard state and be a stale session. A session in discard state will continue to be refreshed and discard traffic as long as the arriving traffic matches the discard session basically 6 tuples. Particularly with UDP traffic, you can end up stuck in this state.. At this point of time you will see traffic incrementing on total byte count in session info. And the only way is to manually clear the session. I hope this clarification helps. 

L6 Presenter

You can also automate this with changing the variables as @ypopuri  said and Palo Alto Cortex XSOAR (there is a free community edition for you to see if you like it) or with Ansible panos_config_element module for example as when failover is seen in the logs the config to be autochanged and maybe after time to again be auto changed and returned to normal https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_config_element_module.html

 

Outside of that you can also schedule a custom report each night with SIP application elapset time (you can even schedule or send the report by email) then get this report via API and and again with API to delete the sessions by using their ID.

 

 

There are also Ansible modules for operational commands and for reports as  I did not find an exact Ansible module you can use the URI module to get the report:

 

https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_op_module.html

 

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html

 

 

 

Also palo alto has another way with using '<show><session><all><filter><min-age>{{ session_min_age }}</min-age></filter></all></session></show>' :

 

https://github.com/PaloAltoNetworks/ansible-playbooks/blob/master/session_report.yml

 

 

 

nikoolayy1_0-1678945001762.png

 

 

nikoolayy1_1-1678945037031.png

nikoolayy1_2-1678945078975.png

 

  • 8801 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!