Traffic problems with session end reason of "TCP-reuse"

Traffic problems with session end reason of "TCP-reuse"

35882
Created On 05/20/22 11:55 AM - Last Modified 09/08/23 06:45 AM


Symptom


  • Under Monitor > Traffic logs there are sessions with session end-reason "TCP-Reuse". 
  • Connectivity through the firewall is being impacted. 
  • Global counter "flow_tcp_non_syn_drop" increases.
  • On packet captures, all incoming packets for one session that reaches the firewall after 15 seconds since the first TCP FIN packet is seen on the firewall will be dropped. 

Environment


  • PA-5400 series Firewall
  • PAN-OS versions 10.1.0 - 10.1.5

Cause


  • The session timestamp is no longer updated since the first FIN arrives
  • The session timeout is updated to half_close_timeout when FW sees the first FIN.
  • The session timeout is updated to timeout (default 15 seconds) when FW sees the second FIN.
  • If the time difference between the last packet seen on the firewall and the first FIN is more than 15 seconds, would make the firewall drop this packet. 
  • When the firewall receives the second FIN or an RST, the session is good for closing in 15 seconds. Within those 15 seconds, if the firewall receives a new SYN with the same TCP source port to the same destination, then PAN-OS ends the previous session with a session-end reason as TCP-reuse. If the time difference between the SYN packet seen on the firewall and the first FIN is more than 15 seconds, the firewall will drop the SYN packet although on traffic logs a TCP-Reuse entry will be visible. 

Resolution


Upgrade the firewall to PAN-OS version 10.1.6 or above.


Workarounds
  • Navigate to Device > Setup > Session > Session Timeouts and set the "TCP Time Wait" to 1 second. This can also be done at the application level under Objects > Applications, selecting the application and modifying its Options. 
    • Note: This reduces the probability of the issue occurring as it will not trigger session reuse.
  • Navigate to Device > Setup > Session > Session Timeouts and set the "TCP Time Wait" and "TCP handshake" to a value that is large enough to avoid the drop (larger than the difference between the FIN/RST and the dropped packet).
    • Note: Values may vary based on traffic behavior.

Additional Information


An explanation of why a session will end with reason "TCP-reuse" can be found here.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpfKCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language