Content Sharing Unreliable With Palo Alto Networks Firewall Default UDP Session Timeout Value

It has been observed in several Enterprise network environments that purpose-built video endpoint systems from Cisco Systems and Poly registered to the Pexip Service may experience unreliable content sharing behavior.  This behavior may include an inability to receive or initiate content share soon after the video call is connected, either to a video bridge or in a point-to-point call.  In many cases the content share capability is initially found to behave as expected, but then changes to the unreliable state within a short period of time.  A list of compatible Cisco Systems and Poly endpoint models which can be registered to the Pexip Service can be found here.

The common element to these Enterprise network environments may be the presence of a Palo Alto Networks Firewall.  After an investigation into initial reports of the content share behavior and working alongside Palo Alto Networks Technical Support, the problem was traced to a requirement to increase the value of the UDP session timeout setting on the Palo Alto Networks Firewall.  Video endpoints registered to the Pexip Service use SIP (Session Initiation Protocol) as the signaling protocol, and the content share channel is negotiated via SIP BFCP (Binary Floor Control Protocol), which is UDP-based.  From troubleshooting logs it was observed that the two-way BFCP communications between the video endpoint to the Cloud Video Service was being closed prematurely when the default UDP session timer of 30 seconds is being used.

From the initial Palo Alto Networks recommendation for the first customer engagement where it was found that increasing the UDP timeout value resolved all content sharing issues, the recommended change is:

We had a conference call with <customer> today.  They still have to do more testing but they may have found a fix for the content issue.  Since recommending they investigate their firewall further with the vendor the firewall engineers recommended they increase the UDP session timeout from the firewall’s default 30 seconds to 3600 seconds for ports 10,000 - 65,535.  Originally they increased the session timeout for TCP but their testing still reproduced the failure.  When they applied the UDP timeout change their tests so far have all been successful.

Pexip's recommendations when Palo Alto Networks Firewalls are present are:

  1. Ensure that the Firewall can accommodate all the traffic types and port ranges to/from the IP address spaces shown in the Alternative rules, limited hosts / networks to open in your Firewall section of the Firewall Rules Tables.
  2. Increase the UDP session timeout from the default 30 second value to 3600 seconds for UDP port range 10000-65535.  This is the same UDP port range as listed in the Alternative rules, limited hosts / networks to open in your Firewall section of the Firewall Rules Tables.
  3. Disable the "Application Filtering" setting on the Firewall.

Last updated: 2020-10-02

Was this article helpful?
4 out of 4 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.