https://live.paloaltonetworks.com/t5/globalprotect-discussions/ms-rdp-via-globalprotect-is-not-working-in-some-cases/m-p/533954#M3777 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/278480">@MichaelCL</a> ,</P> <P>Looking only at the session end reason and detected application will not give you the full picture of what is happening.</P> <P>I strongly recommend to everyone when reviewing logs to always add the two columns - "Bytes Sent" and "Bytes Received"</P> <P>By default log view include column Bytes, which is summary of sent and received traffic. When adding those two you can quickly identify if firewall receive return traffic.</P> <P>In my experience incomplete is always explained with missing return traffic. Of course why there is no return could be cause by various reasons:</P> <P>&nbsp;</P> <P>From the provided information it looks like Location 3 either does not have correct route for the GP pool or not allowing:</P> <P>- Check the IPsec tunnel between Location 2 and Location 3. Is GP IP pool part of the encryption domain for IPsec phase2?</P> <P>- Does Location 3 have correct route for GP IP pool pointing to tunnel to location 2?</P> <P>- Any firewall rules in location 3? </P> <P>- Any NAT being applied for the traffic over the tunnels?</P> <P>&nbsp;</P> Fri, 10 Mar 2023 12:48:23 GMT aleksandar.astardzhiev 2023-03-10T12:48:23Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/ms-rdp-via-globalprotect-is-not-working-in-some-cases/m-p/533912#M3776 <P>Hello all,</P> <P>we need to allow to access different machines via MS RDP.</P> <P>I write here which accesses work/not work to get an idea of our problem:</P> <P>&nbsp;</P> <P>Location 1 -&gt; S2S -&gt; Location 2 -&gt; <STRONG>RDP working</STRONG></P> <P>Location 1 -&gt; S2S -&gt; Location 2 -&gt; S2S -&gt; Location 3 - <STRONG>RDP working</STRONG><BR />GlobalProtect -&gt; Location 1 -&gt; S2S -&gt; Location 2 -&gt; <STRONG>RDP working</STRONG><BR />GlobalProtect -&gt; Location 1 -&gt; S2S -&gt; Location 2 -&gt; S2S -&gt; Location 3 - <FONT color="#FF0000"><STRONG>RDP not working</STRONG></FONT></P> <P>&nbsp;</P> <P>The only thing we see with the connection not working is that the TCP handshake is not working. It shows Application "incomplete". <STRONG>The firewall policies allow the traffic.&nbsp;</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MichaelCL_0-1678433047226.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48613i8FA7FAF12EBCC16A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="MichaelCL_0-1678433047226.png" alt="MichaelCL_0-1678433047226.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Test performed:</P> <P>- client-side UDP disabled<BR />- RDP NLA disabled<BR />- Windows firewall disabled</P> <P>It makes no difference.</P> <P>&nbsp;</P> <P>Maybe someone here has an idea what else we could check.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Michael</P> Fri, 10 Mar 2023 07:50:33 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/ms-rdp-via-globalprotect-is-not-working-in-some-cases/m-p/533912#M3776 MichaelCL 2023-03-10T07:50:33Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/ms-rdp-via-globalprotect-is-not-working-in-some-cases/m-p/533954#M3777 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/278480">@MichaelCL</a> ,</P> <P>Looking only at the session end reason and detected application will not give you the full picture of what is happening.</P> <P>I strongly recommend to everyone when reviewing logs to always add the two columns - "Bytes Sent" and "Bytes Received"</P> <P>By default log view include column Bytes, which is summary of sent and received traffic. When adding those two you can quickly identify if firewall receive return traffic.</P> <P>In my experience incomplete is always explained with missing return traffic. Of course why there is no return could be cause by various reasons:</P> <P>&nbsp;</P> <P>From the provided information it looks like Location 3 either does not have correct route for the GP pool or not allowing:</P> <P>- Check the IPsec tunnel between Location 2 and Location 3. Is GP IP pool part of the encryption domain for IPsec phase2?</P> <P>- Does Location 3 have correct route for GP IP pool pointing to tunnel to location 2?</P> <P>- Any firewall rules in location 3? </P> <P>- Any NAT being applied for the traffic over the tunnels?</P> <P>&nbsp;</P> Fri, 10 Mar 2023 12:48:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/ms-rdp-via-globalprotect-is-not-working-in-some-cases/m-p/533954#M3777 aleksandar.astardzhiev 2023-03-10T12:48:23Z