https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565269#M4616 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/265072">@Monicashree</a> ,</P> <P>&nbsp;</P> <P>If the NGFW captures packets in the drop stage, then it is dropping the packets. First, check the traffic logs to see the drops.&nbsp; (Make sure logging is enabled for interzone default.)</P> <P>&nbsp;</P> <P>If you don't see anything there, you may be able to see why with the last command in this article -&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS</A>.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 13 Nov 2023 00:18:37 GMT TomYoung 2023-11-13T00:18:37Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565236#M4613 <P>Hi Friends,</P> <P>&nbsp;</P> <P>We have a customer who is facing issues while accessing RDP via Global Protect.</P> <P>User is not able to access the RDP machine after connecting to RDP. We have tried by adding the RDP ip in the include list.</P> <P>We have also tried by creating a specific policy for ms-rdp. It is hitting the correct rule but unable to access.</P> <P>For the logs we could see that application is showing as incomplete.</P> <P>We have tried by taking packet captures. Surprisingly we got all four packets drop, transmit, firewall and Transmit packets.</P> <P>I have merged all the four packets to see. I could see that TCP Port reused messages.</P> <P>Kindly help where and what could be done to solve this.</P> <P>I am attaching the screenshot for your reference.</P> <P>&nbsp;</P> <P>Regards</P> <P>Monica.<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot (124).png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55110i8869F47D5DAC8B8C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot (124).png" alt="Screenshot (124).png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 11 Nov 2023 05:13:50 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565236#M4613 Monicashree 2023-11-11T05:13:50Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565250#M4615 <P>At initial look I would say routing issue.</P> Sat, 11 Nov 2023 22:24:32 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565250#M4615 Raido_Rattameister 2023-11-11T22:24:32Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565269#M4616 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/265072">@Monicashree</a> ,</P> <P>&nbsp;</P> <P>If the NGFW captures packets in the drop stage, then it is dropping the packets. First, check the traffic logs to see the drops.&nbsp; (Make sure logging is enabled for interzone default.)</P> <P>&nbsp;</P> <P>If you don't see anything there, you may be able to see why with the last command in this article -&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS</A>.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 13 Nov 2023 00:18:37 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565269#M4616 TomYoung 2023-11-13T00:18:37Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565274#M4618 <P>Screenshot seems to show:</P> <P>&nbsp;</P> <P>Packet 1 - SYN arrives to Palo<BR />Packet 2 - SYN goes through firewall stage in Palo<BR />Packet 3 - SYN is sent out from Palo<BR />Packet 4 - SYN ACK arrives back to Palo<BR />Packet 5 - SYN ACK goes through firewall stage in Palo<BR />Packet 6 - ??? Either captured from "transmit" stage or "drop" stage</P> <P>&nbsp;</P> <P>If packet 6 is captured from "transmit" stage then&nbsp;you need to figure out if 172.16.10.70 receives it and why it does not send ACK back.</P> <P>&nbsp;</P> <P>Most likely it is captured from "drop" stage.</P> <P>This means that either routing back to 172.16.10.70 is broken, return traffic is routed to different zone compared where it came from or if some zone protection settings is dropping it.</P> <P>&nbsp;</P> <P>I suggest to add 2 packet capture filters one where source is&nbsp;172.16.10.70 and destination&nbsp;192.168.45.31 and second filter line with source/destination IPs flipped around.</P> <P>&nbsp;</P> <P>Run command:</P> <P>&gt; show counter global filter delta yes packet-filter yes</P> <P>&nbsp;</P> <P>Generate some traffic and then run same command again.</P> <P>This shows reason why packets are dropped.</P> Mon, 13 Nov 2023 02:19:07 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565274#M4618 Raido_Rattameister 2023-11-13T02:19:07Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565359#M4620 <P>I notice that the packet is not reaching its destination from the basic flow. Is it possible for you to capture the same packets on the DC firewall? I think that firewall is causing the same issue that you are seeing.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>So the route cause analysis is that this is a down stream network issue.&nbsp;</P> Mon, 13 Nov 2023 11:48:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/after-connecting-to-global-protect-unable-to-use-rdp/m-p/565359#M4620 AbdulAzim 2023-11-13T11:48:42Z