Why do some traffic logs contain the session end reason aged-out?
264161
Created On 09/04/19 23:17 PM - Last Modified 01/09/24 10:29 AM
Question
Why do some traffic logs contain the session end reason aged-out?
Environment
- Palo Alto Firewalls
- PAN-OS 9.0 and above
Answer
When monitoring the traffic logs using Monitor > logs > Traffic, some traffic is seen with the Session End Reason as aged-out. Any traffic that uses UDP or ICMP is seen will have session end reason as aged-out in the traffic log. This is because unlike TCP, there is no way for a graceful termination of UDP session and so aged-out is a legitimate session-end reason for UDP (and ICMP) sessions.
If the application is working fine with aged-out in the traffic log, this is normal and can be ignored.
If the application is not working or if the application is TCP, and aged-out is seen as Session End Reason, then the issue needs to be troubleshot further.
Note: session end reason aged-out is also expected when only one host in the connection sent a TCP FIN message to close the session.
Note: when HTTP/2 inspection is in place, HTTP/2 stream sessions that end normally are currently also logged with the session end reason aged-out because a more specific reason is not set. Only when a threat is detected we set the end-reason as threat.