Skip to main content
GabbaTech
GabbaTech
New Member
September 25, 2020
Question

RDP traffic not being displayed in packet capture

  • September 25, 2020
  • 1 reply
  • 3114 views

Hi,

 

Are there any known issues where RDP traffic over an IPSec tunnel does not display in a packet capture or diagnose debug flow? I'm debugging RDP session disconnects but am unable to see any RDP traffic on the one firewall. (yes, RDP is working, it's the occasional disconnects that I'm trying to figure out) Running version 6.2.4 and I can see the traffic leaving the client firewall via the IPSec tunnel but nothing on the other side, and it's only RDP traffic. I can see all other traffic on both sides. Again, RDP is working, I'm just not seeing the traffic in the debug. I've run both a packet capture off the GUI and a diagnose sniffer packet and diagnose debug flow on the CLI.

 

I should add that this is an SDWAN setup. Two tunnels are configured, however only 1 is up at the moment

 

RDP Client ----> Client Firewall -----> IPSec Tunnel -----> Head Office Firewall ----> RDP Server 

 

pcap files are available should anyone want to take a look. I've been trying to figure this out for the last three hours as I've never not seen traffic when running a debug.

    1 reply

    Benoit_Rech_FTNT
    Staff
    Benoit_Rech_FTNT
    Staff
    December 22, 2020

    Hello Gareth,

    I suppose that the RDP session is hardware accelerated. As you are running IPSec, there are two hardware acceleration that are triggered depending on your hardware: * encryption/decryption * cleart text session. As soon as the 3-ways TCP handshake is performed, you should not see any packets going through the sniffer.

     

    To diagnose a specific host, my recommendation would be to create a specific firewall policy on top of your firewall policies * src : the PC you want to troubleshoot * dst: the RDP server * service: RDP => and then, edit in CLI the newly created firewall policy to disable the hardware acceleration (set auto-offload-asic disable).  You should then clear the RDP session on the firewall, and after these changes, you should be able to have a trace in 'diag sniffer packet'

     

    Note that it has a CPU impact because the session is not hardware accelerated and then handled by the CPU Do not forget to remove or disable the firewall policy after the troubleshooting session.

     

    Best regards, Benoit

    Terms & ConditionsAccessibility statement