Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Terminal Services Agent allocates ports outside the defined port range

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Terminal Services Agent allocates ports outside the defined port range

L2 Linker

Hi,

 

I have the problem, that the Terminal Services Agent sometimes allocates ports to users that are out of their port range.

That leads to the usage of wrong security polices.

 

For example for one user I configured 22800-22999 as the port range.

That user is not allowed to download certain files.

Now sometimes the user gets port 58729 allocated and so the session is not matched to that user, a wrong policy gets to work and the download is possible although it should be denied.

 

The TSA debug log is almost just filled with this error message:

 

[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!

 

There is no other application in use that could disturb the TSA.

 

Maybe someone encountered this error message and can provide some help?

Would be very much appreciated.

 

Best regards,

Marc

 

10 REPLIES 10

L7 Applicator

Hi @Marc.Luecke 

What OS version do you have and what TSA version do you use? At the time when this happens, did you check the allocated ports for this user? Did he maybe reach the 200 ports? How many users are connected to that server? Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed?

Hi Vsys_remo:

 

thanks for your reply.

 

I will try to answer your questions:

 

What OS version do you have and what TSA version do you use?

- The Terminal Server Agent is running on a Windows Server 2016 in Version 8.1.13-5.

 

At the time when this happens, did you check the allocated ports for this user?

- No port allocations Error are shown in the TSA Debug log, so I guess that is not the problem

 

Did he maybe reach the 200 ports?

- Does not seem like that

 

How many users are connected to that server?

8 - 10 Users

 

Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed?

- Yes, it's verified through the logs

 

I hope you can maybe help with that problem?

 

Best regards,

Marc

 

L4 Transporter

If you don't want the users to fail to a high-port out of range, when the pool is used up, you can enable the check box "fail port binding when available ports are used up"

Best Regards
Chacko

Hi Chacko42,

 

unfortunately, setting the mentioned option does not change the issue.

 

But thank you for your comment!!

Maybe there are additional options to check?

 

Best regards,

Marc

L0 Member

Hi Marc.Luecke,

 

Have you had this issue resolved. I am experiencing the same issue through Windows Virtual Desktop in Azure. The TS Agent is intermittently allocating out of range ports to users. Thanks

 

Best Regards,

Tanny

Hi @Marc.Luecke 

Does this problem happen often/constantly?

Even if your TSA version is still supported  I would try it with one of the current version (directly version 10.1).

L1 Bithead

Hi @WAN-Support  and everyone


I have the same problem on azure AVDs. Have you been able to resolve it?

For some connections the TSA sets the correct source ports (i.e. 20001) but for many it does not (i.e. 57024). So the mapping fails.

Interestingly it seems like HTTP-connections work and SMB ones don't.

 

I use TSA version 10.0.3
Any ideas?

 

Best Regards
Andi

L1 Bithead

Kind of strange to reply to ones own post, but there is a little update:

I found other articles about the SMB problematic. It seems a known "issue", that the TS-agent is unable to map all outgoing connections. Some happen at system-level, where the ts-agent cannot intervene. SMB is one of these cases:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkCCAS

 

Still even when leaving out SMB we have the problem that the ts-agent intermittently does not work (i.e. with SSL-Connections). For a while it does the source-port-mappings as configured (i.e. src-port 20xyz) and then it stops and we get src-ports 57xyz and our policies don't work anymore.
Restarting the machine or Service resolves the issue for a while, but not persistently.

 

Any ideas what this could be?

 

thanks, best regards

Andi

Was this ever resolved in later versions of the TS Client or PanOS?

L3 Networker

I too am noticing this problem...  latest TS agent, 11.0.1.104  

  • 7177 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!