Traffic failure occurs with the session end reason "resources-unavailable" after upgrading to PAN-OS 9.1.13 or 10.0.10
76340
Created On 04/21/22 04:49 AM - Last Modified 04/24/24 17:50 PM
Symptom
After upgrading PAN-OS to 9.1.13 or 10.0.10, unexpected traffic failure may occurs and traffic log shows the session end reason "resources-unavailable".
Environment
- All platforms including VM firewalls
- Firewalls running on PAN-OS 9.1.13 (includes h1 and h3) or 10.0.10 (does not include h1)
- Other PAN-OS versions are NOT affected by this issue
Cause
If you can see the session end reason "resources-unavailable" under traffic log without resource usage spike after upgrading PAN-OS to affected versions, please check whether the counter "aho_alloc_lookup_failed" is increasing or not.
> show counter global name aho_alloc_lookup_failed
Name: aho_alloc_lookup_failed
Value: 184328 <<<<<<---------------!!!!!!
Severity: Warning
Category: aho
Aspect: resource
Description: failed to alloc regex lookup
If you can see the above counter is increasing, please also check whether the "Regex Results" is depleted.
> debug dataplane pool statistics | match "Regex Results"
[12] Regex Results (13272): 15/8192 0x8000000109219180
If your firewall matches to the above symptoms, the issue might be hitting to PAN-189468.
Please open a new support case via CSP with uploading tech-support file, if you need our assistance for checking the condition.
Resolution
- This issue was fixed in PAN-OS 9.1.14 and 10.0.10-h1 and 10.1.5 releases
- Upgrade PAN-OS to resolve the issue.
- To release "Regex Result" memory pool on affected PAN-OS, you have to reboot the firewall.
Additional Information
PAN-189468 is listed as addressed issue in the following release note:
PAN-OS 9.1.14 Addressed Issues
PAN-OS 10.0.10-h 1 Addressed Issues
Critical Issues Addressed In PAN-OS Releases