Hi,
Are there any known issues where RDP traffic over an IPSec tunnel does not display in a packet capture or diagnose debug flow? I'm debugging RDP session disconnects but am unable to see any RDP traffic on the one firewall. (yes, RDP is working, it's the occasional disconnects that I'm trying to figure out) Running version 6.2.4 and I can see the traffic leaving the client firewall via the IPSec tunnel but nothing on the other side, and it's only RDP traffic. I can see all other traffic on both sides. Again, RDP is working, I'm just not seeing the traffic in the debug. I've run both a packet capture off the GUI and a diagnose sniffer packet and diagnose debug flow on the CLI.
I should add that this is an SDWAN setup. Two tunnels are configured, however only 1 is up at the moment
RDP Client ----> Client Firewall -----> IPSec Tunnel -----> Head Office Firewall ----> RDP Server
pcap files are available should anyone want to take a look. I've been trying to figure this out for the last three hours as I've never not seen traffic when running a debug.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Gareth,
I suppose that the RDP session is hardware accelerated. As you are running IPSec, there are two hardware acceleration that are triggered depending on your hardware: * encryption/decryption * cleart text session. As soon as the 3-ways TCP handshake is performed, you should not see any packets going through the sniffer.
To diagnose a specific host, my recommendation would be to create a specific firewall policy on top of your firewall policies * src : the PC you want to troubleshoot * dst: the RDP server * service: RDP => and then, edit in CLI the newly created firewall policy to disable the hardware acceleration (set auto-offload-asic disable). You should then clear the RDP session on the firewall, and after these changes, you should be able to have a trace in 'diag sniffer packet'
Note that it has a CPU impact because the session is not hardware accelerated and then handled by the CPU Do not forget to remove or disable the firewall policy after the troubleshooting session.
Best regards, Benoit
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.