Why tcp aged-out?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Why tcp aged-out?

L3 Networker

Hi all,

Our developers are connecting from Zone1 to Zone2 with tcp (on ports between 2000 and 3000)

The tcp session timeout on firewall is 3 hours.

The security policy allows any application, any port from Zone1 to Zone2. But there are all default security profiles applied on that rule.

When going to Zone2, the source IP is NATted to the firewall interface IP of Zone2.

Still the sessions end with reason "aged-out" after 1 hour when there is no activity.

If we bypass the firewall, this behaviour is not observed. All other devices with and without firewall bypass are the same. Hence the suspicion on firewall.

Any idea what could be the reason or what parameters I can check?

Thanks!

2 REPLIES 2

L0 Member

Hi @rjdahav163 

When monitoring the traffic logs using Monitor > logs > Traffic, some traffic is seen with the Session. Try this - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW

Cyber Elite
Cyber Elite

are the connections being identified as an app-id? cause then the default timeout will be inored in favor of the app timeout

 

you could create a custom app with a 3 hour timeout and set an app override so all connections from zone1 to zone2 on those ports are forced to your custom  app-id, which will also enforce the timeout

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4090 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!