Constant AWS VPN connection issues with WSS Agent even after bypassing VPN URL from WSS
search cancel

Constant AWS VPN connection issues with WSS Agent even after bypassing VPN URL from WSS

book

Article ID: 233604

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSS Agent running on Windows, along with an AWS VPN client

AWS VPN server domain bypassed from WSS using AWS VPN domain bypass

Users have no problems connecting but cannot stay connected for more than 60 minutes 

Users seeing VPN client disconnects to AWS VPN server after between 30 to 60 minutes

VPN logs reported the following errors:

           (T1112)Info (1042): 04/12/21 21:27:05:502 --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel
           (T1112)Info ( 534): 04/12/21 21:27:05:502 VPN timeout due to keepalive, get out of ProcMonitor
           (T9904)Info (4653): 04/04/21 20:27:06:956 ConnectSSL: Failed to connect to '208.127.214.103:443'
           (T9904)Info (4689): 04/04/21 20:27:06:957 ConnectSSL(FALSE) failed

 

 

Environment

WSS Agent on Windows

AWS VPN client on same host connecting to AWS VPN server

Cause

DNS TTL for bypassed domain expired and traffic sent into WSS tunnel by agent

Resolution

Add WSS Application level bypass for AWS VPN client (available in WSS Agent 7.3.x)

Should have used IP address bypass but the range of AWS VPN server IP addresses is enormous. Used DNS bypass instead but had issues. 

Additional Information

- Confirmed from PCAP that traffic bypassed WSS

- Identified the VPN server IP address 

- Filtering traffic on this IP address, we can see an OpenVPn tunnel to the destination, whose SSL cert matches the customer

- We can clearly see data exchanged in both directions up to a certain point, where we only see requests from the VPN server to the client, but no response at all from the client side … as shown below.

- From the WSS Agent logs support has access to, we can see a change in the DNS status at the time. By removing the IP address from the bypass list, the inbound traffic from VPN was rejected and the outbound traffic was sent into the tunnel causing the disconnect.

krn  dns.cpp                              830  IsBypassed                              00002F2C 000058FC 2  01/14/2022-18:40:19.8625806 Debug    Found bypassed IP 54.80.x.x
krn  app-driver_win.cpp                   3146 OutboundIPPacketClassify                00002F2C 000058FC 2  01/14/2022-18:40:19.8625808 Debug    passthru 54.80.x.x due to domain bypass
krn  dns.cpp                              1271 IsExpired                               00002F2C 000058FC 8  01/14/2022-18:40:20.1253883 Debug    Deleting expired DNS Bypass IP 54.80.x.x
krn  dns.cpp                              1271 IsExpired                               00002F2C 000058FC 8  01/14/2022-18:40:20.1253886 Debug    Deleting expired DNS Bypass IP 54.80.x.x
krn  app-driver_win.cpp                   3239 OutboundIPPacketClassify                00002F2C 000058FC 8  01/14/2022-18:40:20.1253901 Debug    Found UDP packet, route = 192.168.86.26:57821 -> 54.80.x.x:443
krn  app-driver_win.cpp                   3239 OutboundIPPacketClassify                00002F2C 000058FC 8  01/14/2022-18:40:20.1569829 Debug    Found UDP packet, route = 192.168.86.26:57821 -> 54.80.x.x:443