Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall - Windows Remote Desktop freezing

 

Hi,

We have just started using XG (upgraded from UTM 9) and we are having difficulty with Windows Remote Desktop going through the XG Firewall via an IPsec VPN connection. The Remote Desktop connections temporarily disconnect or pause dozens of times a day.  Sometimes they connect back up, sometimes they drop.  I have added a DoS Bypass rule for the subnet and the RDP server on the other side.  It helped a lot but it is still continuing.  Does anyone know why XG would consider RDP connections as a DoS attack and how to fix this?  This issue is happening in 2 different offices in two different countries (so I know it is not the Internet connection, modem or router). If I put our old UTM 9 firewall back in the issue goes away.  Any help would be appreciated.  Thanks.

Jae

Running the latest firmware SFOS 17.1.4 MR-4 on all sites.

 

 



This thread was automatically locked due to age.
Parents
  • Watch the IPS/IDS logs for a signature for an RDP exploit. I have had similar things happen with RDP and had to allow a bypass for this signature ID. The disconnects/hangs stopped.

  • It turns out the issue was DoS blocking RDP traffic through the VPN.  I had to add a DoS Bypass Rules for the RDP server (Internal IP) and the destination subnet for both TCP and UDP for port 3389.  I am surprised that the firewall was this strict on VPN traffic for a common protocol but I guess everything is considered a threat unless you tell it that it is not.  I hope this helps anyone that has a similar issue.  Thank you everyone for the help.

  • Hello Jae and thank you for your finding. 

     

    We have been having the same issues for a long time and your solution worked for us as well. I think Sophos Really should look in to this and until they have a solution, write a KB with your findings.

     

    Best Regards

    Rickard Nordahl

  • Unfortunately with IDS they always say "sometimes false positives happen. Please open a case.  I have the same problem with kaspersky security center being blocked pulling updates, citing  an IIS vulnerability.  It has caught me 2 times in about 3 months.

  • same issue here, thought it was far end internet.

Reply Children
  • It took forever to figure this out.  I thought it was the other side as well until I installed another firewall in another location and had the same issue. We had UTM 9 firewalls forever and never had this issue.  Did the DoS exception fix it???

  • Not sure yet, I just did the fix today and now monitoring.

  • OK, please update this thread if it works.  If you have an XG firewall on both sides you will have to make the changes on both sides.  I also had to add an exception for our public IP with the same port.  I am not sure why that was need as all the traffic should be going through the VPN.  Good luck and I hope it works for you.

  • Actually, i would suggest to dump this connection on XG.

    https://community.sophos.com/products/community-chat/f/knowledge-base-article-suggestions/105811/how-to-tcpdump-on-xg

    If the Windows Remote Desktop is freezing, are there any packets or not? 

    This would lead to the next step, what is the client doing. (Using Wireshark to find this issue). 

    __________________________________________________________________________________________________________________

  • Lucar Toni.

    With all respsect. This is NOT a client issue. It's something that the firewall is doing with the packages when its passing the firewall over IPSec VPN.

    Since there is no issue with UTM and other firewalls with clients and VPN this is a XG issue.

    As soon as there is an XG involved this issue are happening.

    Clients are Windows 10 and servers are Win 2012 and newer.

    Before windows server 2012 MS used only TCP for RDP and now its UDP as primary protocol and tcp as fallback.

    And as I said before, Sophos support where involved with us and logged trafic remotely but culd not find anything.

    Regards

    Rickard

  • The point, i am trying to make is, why not troubleshoot this by yourself? 

    Again. It is a tunnel. 

    So you have the possibility to take a look at both ends. 

    You can look, what comes to XG - What is coming out of the SSL VPN tunnel on XG site? 

    And you can look at, what does the client send into the tunnel? 

     

    There are couple of points, which can cause this issue. 

     

    Maybe the client is sending this traffic not to XG, instead to his local wan ethernet adapter?

    Maybe XG is dropping the traffic for whatever reason?

    Maybe the Client sent the traffic into the tunnel, but never arrive / gets corrupted in the tunnel? 

    Maybe everything is working until the packets comes back to the client and XG is sending it to the wrong Interface?

     

    I have literally the same setup and everything works fine. 

    So there is something going on in your setup and you should start to take a deeper look into this issue. 

     

     

    I would not say, it is not a client issue, as long as you do not have any dump proof of this. 

    __________________________________________________________________________________________________________________

  • I will add to this that I analyzed traffic on both ends, looked at the clients, servers and switches.  Nothing was wrong with anything and all the problems started when we installed XG.  Our UTM 9 firewalls were fine.  We have one small office that didn't need any changes to the DoS but larger offices with 20 plus users or more I think caused the DoS protection to freak out (for lack of a better word) and drop RDP traffic.  I have an office running on the new settings for 3 weeks with no issues now.  The problem is XG and it is the DoS feature if you have more then a couple of users using RDP. 

  • But is this DOS Protection feature not doing its job, if you hitting X amounts of UDP packets per Second, it will start to drop? 

    If you take a look at the dump of one session, it is crazy, how many packets per second being transmitted. 

     

    The question is, what should be fixed? 

    Should there be a DOS Protection with preconfigured bypass rules? 

    __________________________________________________________________________________________________________________

  • Just to clerify. I have not enabled any DoS protection at all and the GUI thats shows droped packages shows 0 in every column. And it is IPSec site to site that is the issue for us.

    We have been running the XG since version 15 and been using every version since. This problem started after we upgraded to v 17.

  • We had almost the exact same issue:

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/110335/strange-vpn-connection-issue

     

    We found a workaround to add the registry key to disable UDP over RDP, but still don't know the root cause.  Thought you might find it interesting.