VOIP 呼叫与应用程序h.225下降后10-15分钟
18012
Created On 03/31/20 21:56 PM - Last Modified 03/26/21 18:14 PM
Symptom
- 申请 h.225 和目的地端口 1720 的 Voip 呼叫在 15 分钟后下降
- Firewall 不显示从数据包捕获的任何滴
- 使用数据包捕获中的过滤器的全球计数器显示以下计数器:"ctd预测队列因预测等待fpp而获得等式"
Global counters: Elapsed time since last sampling: 10.810 seconds name value rate severity category aspect description -------- flow_fpga_rcv_fastpath 1 0 info flow offload fpga packets for fastpath received ctd_predict_queue_enque 1 0 info ctd pktproc ctd predict queue got enque due to predict waiting fpp ctd_predict_queue_len 1 0 info ctd pktproc ctd predict queue length
- 会话显示第一个结束原因: 未知
Session 506534
c2s flow:
source: 10.10.10.10 [Voice]
dst: 1.1.1.1
proto: 6
sport: 11014 dport: 1720
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 1.1.1.1 [External]
dst: 2.2.2.2
proto: 6
sport: 1720 dport: 26953
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Mar 3 17:05:00 2020
timeout : 3600 sec
time to live : 3600 sec
total byte count(c2s) : 1839
total byte count(s2c) : 2068
layer7 packet count(c2s) : 13
layer7 packet count(s2c) : 17
vsys : vsys1
application : h.225
rule : Voip
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
address/port translation : source
nat-rule : Internet (vsys1)
layer7 processing : enabled
ctd version : 5
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session terminate tunnel : False
captive portal session : False
ingress interface : ethernet1/14.1
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
end-reason : unknown
- 然后,当会话失败时,最终原因是:"来自客户端的tcp-rst"
Session 506534
c2s flow:
source: 10.10.10.10 [Voice]
dst: 1.1.1.1
proto: 6
sport: 11014 dport: 1720
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 1.1.1.1 [External]
dst: 2.2.2.2
proto: 6
sport: 1720 dport: 26953
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Mar 3 17:05:00 2020
timeout : 15 sec
time to live : 14 sec
total byte count(c2s) : 1959
total byte count(s2c) : 2365
layer7 packet count(c2s) : 15
layer7 packet count(s2c) : 20
vsys : vsys1
application : h.225
rule : Voip
service timeout override(index) : False
session to be logged at end : True
session in session ager : True
session updated by HA peer : False
address/port translation : source
nat-rule : Internet(vsys1)
layer7 processing : enabled
ctd version : 5
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
session terminate tunnel : False
captive portal session : False
ingress interface : ethernet1/14.1
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage firewall : TCP RST - client
end-reason : tcp-rst-from-client
- 从流基本捕获中解试显示消息"排队等待预测安装完成的工作"
In the sessions with destination port 1720, the following message is seeing "queue the work waiting for predict install to complete". A Deny message is also shown in Flow Basic "CP-DENY TCP non data packet getting through " Packet received at fastpath stage, tag 506534, type ATOMIC Packet info: len 60 port 77 interface 142 vsys 1 wqe index 552402 packet 0x0x80000003956e08e4, HA: 0, IC: 0 Packet decoded dump: L2: yy:yy:yy:yy:yy:yy->xx:xx:xx:xx:xx:xx, VLAN 20 (0x8100 0x6014), type 0x0800 IP: 10.10.10.10->1.1.1.1, protocol 6 version 4, ihl 5, tos 0xb8, len 40, id 27568, frag_off 0x4000, ttl 64, checksum 20256(0x4f20) TCP: sport 11014, dport 1720, seq 3489772155, ack 3912119931, reserved 0, offset 5, window 123, checksum 23596, flags 0x10 ( ACK), urgent data 0, l4 data len 0 TCP option: Flow fastpath, session 506534 (set work 0x800000038f420800 exclude_video 0 from sp 0x8000000132c16880 exclude_video 0) HSCI link selection: tag 0 NAT session, run address/port translation CP-DENY TCP non data packet getting through queue the work waiting for predict install to complete
Environment
- PANOS 8.1.x
- PANOS 9.0.5
- PAN-3260
Cause
- 安装重复预测会话时,父会话会被丢弃。
- Firewall 正在沉默阻塞目的地端口 1790,应用 h.225 与目的地端口 1720 将取决于目的地端口 1790。
- 由于应用程序 h.225 没有从目的地端口 1790 收到消息。 Firewall 删除会话与消息 :"排队等待预测安装完成的工作"
Resolution
- ID 问题 PAN-122311 -修复了安装重复预测会话时删除父会话的问题。修复是在版本9.0.6
- A 无需升级的解决方法 Firewall 是: 应用覆盖