Windows Updates across a Site to Site VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Windows Updates across a Site to Site VPN

L2 Linker

I have a WSUS server.  I have a Site to Site VPN from a PA-3020 at a hosting facility to a Cisco ASA on my corporate network.  The PA-3020 is running 7.1.4.  When I try to run updates from the servers in the hosting facility, it shows as ms-update in the Traffic Log.  The Session End Reason is “tcp-rst-from-server”.  I am allowing all traffic on the tunnel and can web browse at port 80 and ping the WSUS server.

 

Is there something else I need to do to allow Windows Updates across the tunnel?

7 REPLIES 7

L6 Presenter

Hi,

 

Logs suggests that the server is reseting the connection. Session is created so no problem here. PCAP might help a bit. Any deny logs?

 

Thx,

Myky

I am not getting any denies.

Hi,

 

Did it ever work? Any threat profiles applied to the policy?ms-updates  depends on ssl but as you said you allowing any traffic so that is should not be an issue. Even more sssion is created. Clearly the server sent a TCP reset to the client but why ....

 

Thx,

Myky

I'm with @TranceforLife, I don't think your issue is going to be the firewall here, it would more likely be something on the actual server that is blocking the traffic. Can you verify that traffic is allowed on the WSUS server and it isn't being stopped there.

I added a binding to the default web page for 8020.  I can browse the server locally on that port, but get the same error trying to browse from a workstation on the remote network.  I can browse the WSUS server on port 80 from the remote network.  I can ping it as well.  I have not setup any threat profiles yet.  I am going to install wireshark on the WSUS server.

L2 Linker

I have not installed Wireshark yet.  I did stop the default website and bind port 80 to the WSUS site.  I was able to coonect to the WSUS server on port 80 from the remote servers.  I do not know why it does not work on 8530 yet.

Any chance that the WSUS server is using ports seen as https and that you have decryption configured?  I've had interesting issues with Windows Updates and decrytion in the past, both internally and external.  


Also if you're using applciation-default in your ruleset, make sure that the ports are matching up to whats in the app-id that it's being identified as on the Palo Alto side. 


Just some thoughts... 

 

  • 3729 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!