Keepalive packet drops by firewall due to app-id requirements

Keepalive packet drops by firewall due to app-id requirements

20100
Created On 06/30/20 14:55 PM - Last Modified 01/15/24 18:03 PM


Symptom


  • Keepalive packets are dropped by firewall
  • The app-id in the traffic logs for the keepalive traffic shows incomplete, insufficient, or unknown-tcp.

Environment


  • All PAN-OS firewalls without app override for keepalive session less than ten packets

Cause


  •  The firewall needs more than ten packets to recognize the application.
  •  Many keepalive sessions are less than ten packets causing incomplete, insufficient, or unkown-tcp application ID.

Resolution


1. Create an application override to avoid using app-id feature.

NOTE: 
Traffic will pass and not be dropped as the firewall does not try to identify the application

Additional Information


For more details on how much data is necessary to recognize an application refer to doc
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIgCAK#
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UbqCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language