topic Re: Terminal Services Agent allocates ports outside the defined port range in General Topics

Terminal Services Agent allocates ports outside the defined port range

Marc.Luecke — Fri, 14 Aug 2020 13:58:28 GMT

Hi,

I have the problem, that the Terminal Services Agent sometimes allocates ports to users that are out of their port range.

That leads to the usage of wrong security polices.

For example for one user I configured 22800-22999 as the port range.

That user is not allowed to download certain files.

Now sometimes the user gets port 58729 allocated and so the session is not matched to that user, a wrong policy gets to work and the download is possible although it should be denied.

The TSA debug log is almost just filled with this error message:

[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!

There is no other application in use that could disturb the TSA.

Maybe someone encountered this error message and can provide some help?

Would be very much appreciated.

Best regards,

Marc

Re: Terminal Services Agent allocates ports outside the defined port range

Remo — Fri, 14 Aug 2020 16:30:55 GMT

Hi @Marc.Luecke

What OS version do you have and what TSA version do you use? At the time when this happens, did you check the allocated ports for this user? Did he maybe reach the 200 ports? How many users are connected to that server? Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed?

Re: Terminal Services Agent allocates ports outside the defined port range

Marc.Luecke — Tue, 18 Aug 2020 09:15:07 GMT

Hi Vsys_remo:

thanks for your reply.

I will try to answer your questions:

What OS version do you have and what TSA version do you use?

- The Terminal Server Agent is running on a Windows Server 2016 in Version 8.1.13-5.

At the time when this happens, did you check the allocated ports for this user?

- No port allocations Error are shown in the TSA Debug log, so I guess that is not the problem

Did he maybe reach the 200 ports?

- Does not seem like that

How many users are connected to that server?

8 - 10 Users

Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed?

- Yes, it's verified through the logs

I hope you can maybe help with that problem?

Best regards,

Marc

Re: Terminal Services Agent allocates ports outside the defined port range

Chacko42 — Tue, 18 Aug 2020 16:25:20 GMT

If you don't want the users to fail to a high-port out of range, when the pool is used up, you can enable the check box "fail port binding when available ports are used up"

Re: Terminal Services Agent allocates ports outside the defined port range

Marc.Luecke — Thu, 20 Aug 2020 13:03:41 GMT

Hi Chacko42,

unfortunately, setting the mentioned option does not change the issue.

But thank you for your comment!!

Maybe there are additional options to check?

Best regards,

Marc

Re: Terminal Services Agent allocates ports outside the defined port range

WAN-Support — Mon, 23 Aug 2021 05:00:57 GMT

Hi Marc.Luecke,

Have you had this issue resolved. I am experiencing the same issue through Windows Virtual Desktop in Azure. The TS Agent is intermittently allocating out of range ports to users. Thanks

Best Regards,

Tanny

Re: Terminal Services Agent allocates ports outside the defined port range

Remo — Tue, 24 Aug 2021 20:07:23 GMT

Hi @Marc.Luecke

Does this problem happen often/constantly?

Even if your TSA version is still supported I would try it with one of the current version (directly version 10.1).

Re: Terminal Services Agent allocates ports outside the defined port range

AndreasTrautmann — Wed, 08 Sep 2021 09:16:42 GMT

Hi @WAN-Support and everyone

I have the same problem on azure AVDs. Have you been able to resolve it?

For some connections the TSA sets the correct source ports (i.e. 20001) but for many it does not (i.e. 57024). So the mapping fails.

Interestingly it seems like HTTP-connections work and SMB ones don't.

I use TSA version 10.0.3
Any ideas?

Best Regards
Andi

Re: Terminal Services Agent allocates ports outside the defined port range

AndreasTrautmann — Mon, 20 Sep 2021 14:19:36 GMT

Kind of strange to reply to ones own post, but there is a little update:

I found other articles about the SMB problematic. It seems a known "issue", that the TS-agent is unable to map all outgoing connections. Some happen at system-level, where the ts-agent cannot intervene. SMB is one of these cases:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkCCAS

Still even when leaving out SMB we have the problem that the ts-agent intermittently does not work (i.e. with SSL-Connections). For a while it does the source-port-mappings as configured (i.e. src-port 20xyz) and then it stops and we get src-ports 57xyz and our policies don't work anymore.
Restarting the machine or Service resolves the issue for a while, but not persistently.

Any ideas what this could be?

thanks, best regards

Andi

Re: Terminal Services Agent allocates ports outside the defined port range

robert.holmes — Fri, 29 Mar 2024 14:56:33 GMT

Was this ever resolved in later versions of the TS Client or PanOS?

Re: Terminal Services Agent allocates ports outside the defined port range

cenders — Tue, 12 Nov 2024 18:34:20 GMT

I too am noticing this problem... latest TS agent, 11.0.1.104