LINE App disconnection issue - Both endpoints on same LAN
14310
Created On 01/14/20 08:36 AM - Last Modified 01/27/20 02:14 AM
Symptom
When Line application installed endpoints (both PC and Mobile Phones) are in the same LAN behind the PA firewall, the Audio/video calls between these endpoints get disconnected after about a minute or two.
Calls to other endpoints out to internet or from internet will not face any issue.
Environment
This applies to only to PA 3050, 3060 and PA 5000 series of firewalls.
The application is called naver-line as per Paloalto application database.
Topology :
Assumption :
Line App installed endpoints.
PC - 10.10.10.1/24
Mobile Phone - 10.10.10.2/24
Both are behind a PA (3050, 3060 or 5000 series) firewall and connect to internet through the firewall using Dynamic IP and Port NAT.
Cause
Based on the observed behaviour of this application, below is how it seems to work.
SSL based connection on port 443 to the server is used as control connection from both the endpoints.
Then there will be UDP based connections from both endpoints to server on which the data traffic is sent and received once the call is connected.
When both endpoints are in the same LAN network, a few seconds after the call has started the application detects that both endpoints are in the same LAN segment.
Then they start exchanging the data packets directly between the private IP addresses.
Which means the UDP packets will be sent directly between 10.10.10.1 and 10.10.10.2.
Once this happens, the endpoints send one UDP packet approximately every 10 seconds to the server. Seems to be a keepalive mechanism.
By design, once the TCP/UDP session is offloaded on PA 3050, 3060 and 5000 series firewalls, 16 packets will have to be received on the offloaded sessions within the default session timeout.
If 16 packets are not received, the session is not refreshed and the session is closed due to timeout.
The UDP default timeout on the naver-line application is set to 30 seconds by default.
In this scenario, since LINE application only sends 1 UDP packet every 10 seconds, only 3 packets will be received in 30 seconds at most.
Thus the PA firewall closes the offloaded session due to session timeout.
The next UDP packet from the endpoint will create a new session. Since NAT is being done, the next packet will be NATted to new source Port.
The server seems to then ignore this packet and closes the call on the endpoints.
Thus the call gets disconnected after about a minute or two.
Resolution
Since the 16 packet requirement for session refresh after offload is by design, the only way to fix this issue is as below.
Objects > Application > Search for naver-line > Click on the Application
Options > "UDP Timeout (seconds):" > Customize
Change the value from 30 to 300.
Then commit.
This increase in the timeout will give enough room for 16 packets to be received so that the session does not get timed out.
The Audio/Video call can then be tested. The call disconnection should not happen anymore.
Additional Information
FIREWALL OFFLOADING TRAFFIC -- HOW TO DISABLE
The session refresh behavior after session offload is explained on the above link.
The other way to fix the issue is to configure firewall policy on the endpoint to stop accepting UDP traffic from its own LAN segment.
But this is not a scalable fix and can only be used for testing during troubleshooting, to confirm if the issue is the same as discussed in this article.
Windows Firewall Inbound rules can be used to block traffic on one endpoint and call can be tested. The call disconnection should not happen after that.