topic Re: Windows Updates across a Site to Site VPN in General Topics

Windows Updates across a Site to Site VPN

kdingwall — Fri, 16 Dec 2016 15:44:51 GMT

I have a WSUS server. I have a Site to Site VPN from a PA-3020 at a hosting facility to a Cisco ASA on my corporate network. The PA-3020 is running 7.1.4. When I try to run updates from the servers in the hosting facility, it shows as ms-update in the Traffic Log. The Session End Reason is “tcp-rst-from-server”. I am allowing all traffic on the tunnel and can web browse at port 80 and ping the WSUS server.

Is there something else I need to do to allow Windows Updates across the tunnel?

Re: Windows Updates across a Site to Site VPN

TranceforLife — Fri, 16 Dec 2016 16:00:31 GMT

Hi,

Logs suggests that the server is reseting the connection. Session is created so no problem here. PCAP might help a bit. Any deny logs?

Thx,

Myky

Re: Windows Updates across a Site to Site VPN

kdingwall — Fri, 16 Dec 2016 16:03:54 GMT

I am not getting any denies.

Re: Windows Updates across a Site to Site VPN

TranceforLife — Fri, 16 Dec 2016 16:46:09 GMT

Hi,

Did it ever work? Any threat profiles applied to the policy?ms-updates depends on ssl but as you said you allowing any traffic so that is should not be an issue. Even more sssion is created. Clearly the server sent a TCP reset to the client but why ....

Thx,

Myky

Re: Windows Updates across a Site to Site VPN

BPry — Fri, 16 Dec 2016 16:35:07 GMT

I'm with @TranceforLife, I don't think your issue is going to be the firewall here, it would more likely be something on the actual server that is blocking the traffic. Can you verify that traffic is allowed on the WSUS server and it isn't being stopped there.

Re: Windows Updates across a Site to Site VPN

kdingwall — Fri, 16 Dec 2016 21:18:35 GMT

I added a binding to the default web page for 8020. I can browse the server locally on that port, but get the same error trying to browse from a workstation on the remote network. I can browse the WSUS server on port 80 from the remote network. I can ping it as well. I have not setup any threat profiles yet. I am going to install wireshark on the WSUS server.

Re: Windows Updates across a Site to Site VPN

kdingwall — Mon, 19 Dec 2016 18:57:16 GMT

I have not installed Wireshark yet. I did stop the default website and bind port 80 to the WSUS site. I was able to coonect to the WSUS server on port 80 from the remote servers. I do not know why it does not work on 8530 yet.

Re: Windows Updates across a Site to Site VPN

mlinsemier — Tue, 20 Dec 2016 20:25:58 GMT

Any chance that the WSUS server is using ports seen as https and that you have decryption configured? I've had interesting issues with Windows Updates and decrytion in the past, both internally and external.

Also if you're using applciation-default in your ruleset, make sure that the ports are matching up to whats in the app-id that it's being identified as on the Palo Alto side.

Just some thoughts...