We're experiencing multiple issues with udp-based applications after network outages. A common problem is that udp tracking sessions (I assume from ALG) in PA for DHCP create issues and clients are unable to attain IP-address. This error must be manually solved by clearing sessions. We've also seen this error for other udp applications.
Question is: Are the configuration steps we can take to alleviate our problems with udp tracking sessions getting invalid in PA?
I am not aware of an ALG for DHCP. UDP has a global time out of 30 secs, by default.
Here is a screen capture of what DHCP looks like on my FW.
Note the start time and receive time (receive time is when the log was received to the traffic log, which logs at session end)
Session End Reason
So unless someone has manipulated the global timers, or it is anomoly in the software, 30 secs is reasonable max time a UDP is maintained.
That is different for SIP which has an ALG.
In logs and sessions browser the dhcp sessions between ip gateways (remote locations) and dhcp servers are often long running, up to 1-2 weeks. So I'm pretty sure the dhcp application is dependent on more than the udp timeout. It seems unlikely that we should receive continuous dhcp relay traffic from the gateways.
Our config for dhcp application seems standard also:
Also checked ou firewall timeouts which seems to be default:
Session timeout TCP default timeout: 3600 secs TCP session timeout before SYN-ACK received: 5 secs TCP session timeout before 3-way handshaking: 10 secs TCP half-closed session timeout: 120 secs TCP session timeout in TIME_WAIT: 15 secs TCP session delayed ack timeout: 250 millisecs TCP session timeout for unverified RST: 30 secs UDP default timeout: 30 secs ICMP default timeout: 6 secs SCTP default timeout: 3600 secs SCTP timeout before INIT-ACK received: 5 secs SCTP timeout before COOKIE received: 60 secs SCTP timeout before SHUTDOWN received: 30 secs other IP default timeout: 30 secs Captive Portal session timeout: 30 secs Session timeout in discard state: TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60 secs
Can you show a screen capture showing a DHCP session that has been in your Session Browser for more than 2 minutes?
You may need to do a "show session ID xxxxx" from the CLI
I am not able to confirm your issue. DHCP is just and only 4 UDP packet exchange.
When I go into my Session Browser and look for DHCP, I get none, meaning, I have zero sessions that are in the session table.
But even when I look at a UDP session (DNS in my example), this is what I see
start time : Thu Oct 31 12:10:36 2019
timeout : 30 sec
So we are missing some details...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!