Why Do Some Traffic Report As Aged-out In Traffic Log - Knowledge Base

Home » What Does Aged Out Mean » Why Do Some Traffic Report As Aged-out In Traffic Log - Knowledge Base

Maybe your like

Why do some traffic logs contain the session end reason aged-out? Why do some traffic logs contain the session end reason aged-out? 329302 Created On 09/04/19 23:17 PM - Last Modified 01/09/24 10:29 AM Traffic Log Reporting and Logging PAN-OS

Question

Why do some traffic logs contain the session end reason aged-out?

Environment

  • Palo Alto Firewalls
  • PAN-OS 9.0 and above

Answer

When monitoring the traffic logs using  Monitor > logs > Traffic, some traffic is seen with the Session End Reason  as aged-out.  Any traffic that uses UDP or ICMP is seen will have session end reason as aged-out in the traffic log. This is because unlike TCP, there is no way for a graceful termination of UDP session and so aged-out is a legitimate session-end reason for UDP (and ICMP) sessions. If the application is working fine with aged-out in the traffic log, this is normal and can be ignored. If the application is not working or if the application is TCP, and aged-out is seen as Session End Reason, then the issue needs to be troubleshot further.Note: session end reason aged-out is also expected when only one host in the connection sent a TCP FIN message to close the session.Note: when HTTP/2 inspection is in place, HTTP/2 stream sessions that end normally are currently also logged with the session end reason aged-out because a more specific reason is not set. Only when a threat is detected we set the end-reason as threat.
Other users also viewed:
 Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language English Chinese (Simplified) French German Japanese Spanish

Tag » What Does Aged Out Mean