We recently started having a strange VPN connection issue. Our users can successfully connect to the VPN (we use the Sophos client and an XG Firewall) with no issues. Once connected they can ping their desktop computer, but as soon as you try to connect a RDP session, the pings drop and the RDP link fails. After about 30 seconds or so, RDP pops up the failed to connect message and the pings resume.
I tried this on a known good computer that was working with VPN and RDP just a few days ago and encountered the same thing. There have been no recent changes to the firewall or computers (other than things like definition updates). RDP works internally and when I connect the VPN I can access other resources (AD, file shares, etc).
I checked the firewall and IPS logs, but nothing stands out. Any thoughts on where to begin?
Please share TCPDUMP for RDP session.
Sophos Architect | NSE 4 | CCNP | CISE
You can perform this dump with following Post:
Thanks, but we found the 'solution' (workaround?). It required a registry key addition:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client\Create a dword and assign a value of 1 to:fClientDisableUDP
Not sure if this one is a MS or Sophos issue since it only happens with RDP over the VPN, but it is working and we have too many projects to take a deep dive.
I am not sure why are you going to force TCP on RDP protocol? As per my understanding, this is a workaround on;y this is not a root cause.
You could try to check, if there is an issue with the UDP Timeout on your XG. https://community.sophos.com/kb/en-us/127785
Try to rise the UDP Timeout and try again.
I called support and they were pretty confident that the issue was not with the XG. That said, I tried adjusting the UDP timeout, but without that registry key I still am unable to connect a RDP session over the VPN. It might be worth noting that when I do not have the registry key and try to RDP, I am also unable to ping any devices on the network for about 30 seconds. It almost seems like a false positive on a threat detection (IPS?), but there don't appear to be any logs.
It would appear this issue is more widespread than Sophos would want us to think:
Thank you for the info. This proves it is a UDP issue within the XG firewall as TCP RDP connections are not affected. By forcing RDP to use TCP you lose the advantages of UDP. RDP uses both UDP (Primary) and TCP to transmit data up to 8 time faster then TCP alone. I guess if the users have fast Internet connections and they don't notice a difference in speed that is good workaround but Sophos needs to look at this issue and fix it. We should not have to downgrade our PCs to get it to work with their firewall.
Deepak Verma LuCar Toni
Was this ever resolved? I was reviewing our GPOs and found we still have the workaround of forcing TCP in place.
I am not sure if Sophos fixed this or not but I never made the change to registry that was listed in this thread and my users are connected fine now. I would test it with one PC and see if it is working properly before changing the GPO. Also make sure the PC and the Sophos firewall are fully patched before testing.