Constant AWS VPN connection issues with WSS Agent even after bypassing VPN URL from WSS
search cancel

Constant AWS VPN connection issues with WSS Agent even after bypassing VPN URL from WSS

book

Article ID: 233604

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

  • WSS Agent running on Windows, along with an AWS VPN client
  • AWS VPN server domain bypassed from WSS using AWS VPN domain bypass
  • Users have no problems connecting but cannot stay connected for more than 60 minutes 
  • Users seeing VPN client disconnects to AWS VPN server after between 30 to 60 minutes

VPN logs report the following errors:

(T1112)Info (1042): 04/12/21 21:27:05:502 --Too many outstanding keepalive and no response from GP gateway, disconnect tunnel
(T1112)Info ( 534): 04/12/21 21:27:05:502 VPN timeout due to keepalive, get out of ProcMonitor
(T9904)Info (4653): 04/04/21 20:27:06:956 ConnectSSL: Failed to connect to '###.###.####.##:443'
(T9904)Info (4689): 04/04/21 20:27:06:957 ConnectSSL(FALSE) failed

Environment

  • WSS Agent on Windows
  • AWS VPN client on same host connecting to AWS VPN server

Cause

DNS TTL for bypassed domain expired and traffic sent into WSS tunnel by agent

Resolution

Add WSS Application level bypass for AWS VPN client (available in WSS Agent 7.3.x)

You should use IP address bypass but the range of AWS VPN server IP addresses may be too large, as in this example. In that case, you note that using DNS bypass can cause issues. 

Additional Information

  • Confirm from PCAP that traffic bypasses WSS
  • Identify the VPN server IP address 

  • Filtering traffic on this IP address, you can see an OpenVPN tunnel to the destination, whose SSL cert matches yours.
  • You can clearly see data exchanged in both directions up to a certain point, where you only see requests from the VPN server to the client, but no response at all from the client side … as shown below.

  • From the WSS Agent logs support has access to, you can see a change in the DNS status at the time. By removing the IP address from the bypass list, the inbound traffic from VPN is rejected and the outbound traffic is sent into the tunnel causing the disconnect.

krn  dns.cpp                              830  IsBypassed                              00002F2C 000058FC 2  01/14/2022-18:40:19.8625806 Debug    Found bypassed IP 54.80.#.#
krn  app-driver_win.cpp                   3146 OutboundIPPacketClassify                00002F2C 000058FC 2  01/14/2022-18:40:19.8625808 Debug    passthru 54.80.#.# due to domain bypass
krn  dns.cpp                              1271 IsExpired                               00002F2C 000058FC 8  01/14/2022-18:40:20.1253883 Debug    Deleting expired DNS Bypass IP 54.80.#.#
krn  dns.cpp                              1271 IsExpired                               00002F2C 000058FC 8  01/14/2022-18:40:20.1253886 Debug    Deleting expired DNS Bypass IP 54.80.#.#
krn  app-driver_win.cpp                   3239 OutboundIPPacketClassify                00002F2C 000058FC 8  01/14/2022-18:40:20.1253901 Debug    Found UDP packet, route = 192.168.86.26:57821 -> 54.80.#.#:443
krn  app-driver_win.cpp                   3239 OutboundIPPacketClassify                00002F2C 000058FC 8  01/14/2022-18:40:20.1569829 Debug    Found UDP packet, route = 192.168.86.26:57821 -> 54.80.#.#:443