After Upgrade of PA-3200 Device to 10.1.9 or 10.1.19-h1, offloaded sessions are getting disconnected

• Upgrade of PA-3200 Device to 10.1.9 or 10.1.19-h1.
• Offloaded application traffic sessions may disconnect after a period of time even if a session is active.
• The disconnect occurs after the application's default session timeout value is exceeded.

• Palo Alto PA-3200 Series Firewalls
• PAN-OS 10.1.9, 10.1.9-h1
• Session offload.

Software defect.

1. The issue is fixed under PAN-216314
2. Fix is available in 10.2.4  and in 10.1.10 (released May 2023). 
3. The permanent fix is to upgrade to a release of PAN-OS that includes the fix (see additional information) or to a later released version. Also check the preferred PAN-OS versions here.
4. Workaround is to run the following command from operation mode

> debug dataplane internal pdt fe100 csr wr_sem_ctrl_ctr_scan_dis value 0

• The command will take effect immediately for old and new sessions
• The command is also persistent across reboot. 

Symptom: Sessions are closed with end-reason aged-out even though client and/or server are transmitting packets.
Root-Cause: DP does not refresh the session timeout value of some hardware offloaded sessions, resulting in session closing out as aged-out.
This affects traffic that have low packet rate for a certain time interval.
Fix version/s: 11.0.1, 10.2.4, 10.1.10, 10.1.9-h3, 9.1.16