WSS Agent cause Microsoft Direct access disconnections

book

Article ID: 207070

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

During the primary tests for migrating Unified agent(UA) users to WSS agent(WSSA), it was noticed that the VPN connection to Microsoft Direct access servers on IPv6 became unstable when using WSSA.

All worked well in the same setup using Unified Agent.

When problem occurs, connection establishment to Microsoft Direct Access server take more than 10 minutes to complete when successful, and the connection keep disconnecting.

Environment

Impacted WSSA versions: 6x and 7.x

Resolution

Temporary workaround is to install WSS agent v 5.1.1, which should end of support on 7/28/2021.

 

Additional Information

WSSA version 5.1.1 has some known issues that were fixed on the following releases.

Below the top 5 well known issues on version 5.1.1 with their proposed workarounds:

  • Uninstall WSS Agent v 5.1.1 does not prompt for uninstall token on Windows 10 1903
    • Workaround: is to uninstall from command line if you are using an uninstall token
    • Not applicable to UA (Unified Agent always requires the uninstall token to be provided on command line)
  • WSS Agent notifier hanging when diagnostics logs are large
    • Workaround: is to delete the large diagnostic log from C:\ProgramData\Symantec WSS Agent\wss-agent-*.log
    • Agent still continues to function - only the UI component gets frozen
    • Component eventually will load
  • Domain Bypass is case-sensitive
    • Workaround: is to ensure all domain bypasses are entered lower-case in the portal.
    • Issue also exists in UA
  • QUIC not blocked after initial install
    • Workaround: is to reboot once after installing windows if you are blocking QUIC/HTTP3 in the portal
    • Issue also exists in Unified Agent, but in UA a reboot is required after install.
    • If you are not blocking QUIC/HTTP3 in the portal, then this issue does not occur.
  • Need to click "Reconnect" twice to switch from passive network
    • Workaround: is to manually click "Reconnect" if network location detection is incorrect
    • This is an infrequently-occurring timing issue which also exists in UA

For more information about WSSA version that follows version 5.1.1, you may refer to WSSA Release Notes.