Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-14-2020 06:58 AM
Hi,
I have the problem, that the Terminal Services Agent sometimes allocates ports to users that are out of their port range.
That leads to the usage of wrong security polices.
For example for one user I configured 22800-22999 as the port range.
That user is not allowed to download certain files.
Now sometimes the user gets port 58729 allocated and so the session is not matched to that user, a wrong policy gets to work and the download is possible although it should be denied.
The TSA debug log is almost just filled with this error message:
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
[Error 966]: GetDriverLog3: Device control get drvier log3 fails: 57!!!!
There is no other application in use that could disturb the TSA.
Maybe someone encountered this error message and can provide some help?
Would be very much appreciated.
Best regards,
Marc
08-14-2020 09:30 AM
Hi @Marc.Luecke
What OS version do you have and what TSA version do you use? At the time when this happens, did you check the allocated ports for this user? Did he maybe reach the 200 ports? How many users are connected to that server? Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed?
08-18-2020 02:15 AM
Hi Vsys_remo:
thanks for your reply.
I will try to answer your questions:
What OS version do you have and what TSA version do you use?
- The Terminal Server Agent is running on a Windows Server 2016 in Version 8.1.13-5.
At the time when this happens, did you check the allocated ports for this user?
- No port allocations Error are shown in the TSA Debug log, so I guess that is not the problem
Did he maybe reach the 200 ports?
- Does not seem like that
How many users are connected to that server?
8 - 10 Users
Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed?
- Yes, it's verified through the logs
I hope you can maybe help with that problem?
Best regards,
Marc
08-18-2020 09:25 AM
If you don't want the users to fail to a high-port out of range, when the pool is used up, you can enable the check box "fail port binding when available ports are used up"
08-20-2020 06:03 AM
Hi Chacko42,
unfortunately, setting the mentioned option does not change the issue.
But thank you for your comment!!
Maybe there are additional options to check?
Best regards,
Marc
08-22-2021 10:00 PM
Hi Marc.Luecke,
Have you had this issue resolved. I am experiencing the same issue through Windows Virtual Desktop in Azure. The TS Agent is intermittently allocating out of range ports to users. Thanks
Best Regards,
Tanny
08-24-2021 01:07 PM
Hi @Marc.Luecke
Does this problem happen often/constantly?
Even if your TSA version is still supported I would try it with one of the current version (directly version 10.1).
09-08-2021 02:16 AM
Hi @WAN-Support and everyone
I have the same problem on azure AVDs. Have you been able to resolve it?
For some connections the TSA sets the correct source ports (i.e. 20001) but for many it does not (i.e. 57024). So the mapping fails.
Interestingly it seems like HTTP-connections work and SMB ones don't.
I use TSA version 10.0.3
Any ideas?
Best Regards
Andi
09-20-2021 07:19 AM
Kind of strange to reply to ones own post, but there is a little update:
I found other articles about the SMB problematic. It seems a known "issue", that the TS-agent is unable to map all outgoing connections. Some happen at system-level, where the ts-agent cannot intervene. SMB is one of these cases:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkCCAS
Still even when leaving out SMB we have the problem that the ts-agent intermittently does not work (i.e. with SSL-Connections). For a while it does the source-port-mappings as configured (i.e. src-port 20xyz) and then it stops and we get src-ports 57xyz and our policies don't work anymore.
Restarting the machine or Service resolves the issue for a while, but not persistently.
Any ideas what this could be?
thanks, best regards
Andi
03-29-2024 07:56 AM
Was this ever resolved in later versions of the TS Client or PanOS?
11-12-2024 10:34 AM
I too am noticing this problem... latest TS agent, 11.0.1.104
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
