Anydesk connection frequently disconnected when WSS Agent enabled.
search cancel

Anydesk connection frequently disconnected when WSS Agent enabled.

book

Article ID: 271697

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Anydesk Application (simple executable without any installation requirements) is used by users to connect to remote machines, and to develop scripts on these remote machine (providing service).

Some users running WSS Agent with an active Anydesk connection will be randomly disconnected within a few minutes when the WSS Agent is enabled, and always when trying to upload scripts to remote hosts.

Other users are running the same application without issues on WSS Agent host.

Users will see a "connection closed: internet connection closed unexpectedly" error message reported on the Anydesk application when problem happens.

When the WSS Agent is disabled, the connection works all the time.

Environment

Anydesk.exe application.

WSS Agent installed with MCU=1.

Cloud SWG.

Cause

Anydesk application switching between using system and user process.

Resolution

Install WSS Agent with MCU=0.

Additional Information

After grabbing Symdiag, we could see that requests from anydesk.exe are going to two separate IP addresses - ip.addr==5.#.#.# or ip.addr==203.#.#.#. These are public IP addresses that are used by the Application.

If we look at the PCAP snippet below, we can see that all appears to work fine for 1 min 22 secs and then in packet 1359 below, the client ACKs the data sent down from the server but using a different client IP address! Everything up to that time came from 10.236.136.179, but in packet 1359 it uses 10.245.5.241.

We can see that these 2 IP addresses are coming from the WSS Agent side from the logs there:

- One comes from the non-interactive-user System tunnel and
- one from the user tunnel.

What is happening is that the Application (Anydesk) is switching accounts (system or user) based on the traffic that is being sent. Although we have no control over the Application, we can fix this issue on the WSS Agent side by installing with the MCU=0 parameter (default setup). With MCU=0, we will only have one tunnel into WSS and both user and system traffic will be sent across this tunnel.

[07-06-2023 11:47:32 (UTC+8:00)]: CA Tunnel#1405(non-interactive-user): connecting to 168.149.155.170
[07-06-2023 11:47:32 (UTC+8:00)]: CA Tunnel#1405(non-interactive-user): status:SUCCESS-authorized
[07-06-2023 11:47:32 (UTC+8:00)]: Tunnel#1405(non-interactive-user) connected to concentrator: 168.149.155.170(GTWTA-UDP), Nat IP: 10.245.5.241, RcvBuf: 2097152
[07-06-2023 11:47:32 (UTC+8:00)]: Connection to WSS successful
[07-06-2023 11:47:32 (UTC+8:00)]: CA Tunnel#1406(ATRAPA\sabliao): connecting to 168.149.155.170
[07-06-2023 11:47:32 (UTC+8:00)]: Tunnel#1406(BCOM\user1) connected to concentrator: 168.149.155.170(GTWTA-UDP), Nat IP: 10.236.136.179, RcvBuf: 2097152
[07-06-2023 11:47:33 (UTC+8:00)]: WSS Channel connecting - Tunnel#1406(BCOM\user1)[193]

 Looking at the WSS Agent debug logs, the Anydesk query does not seem to come from a known process and, as a result, the Agent is sending it out the System tunnel.

 wss  cdq-component.cpp                    2305 StreamIdConverter                       00001998 00001BE8 6  07/06/2023-03:50:15.8908656 Info     Non-CDQ address:port seen, 203.#.#.#:80
wss  wss-connection-manager.cpp           485  SendPacket                              00001998 00001BE8 6  07/06/2023-03:50:15.8908701 Info     Sending TCP packet to a tunnel, source: 0x192.168.43.55:49254
wss  wss-connection-manager.cpp           514  SendPacket                              00001998 00001BE8 6  07/06/2023-03:50:15.8908711 Info     Checking for Service stream going to 192.168.43.55:49254
wss  identity-cache.cpp                   112  GetProcInfo                             00001998 00001BE8 6  07/06/2023-03:50:15.8908745 Err      Process information was not found for 192.168.43.55:49254
wss  identity-cache.cpp                   226  GetUserInfo                             00001998 00001BE8 6  07/06/2023-03:50:15.8908754 Warn     Couldn't find process info for 192.168.43.55:49254
wss  identity-cache.cpp                   112  GetProcInfo                             00001998 00001BE8 6  07/06/2023-03:50:15.8908770 Err      Process information was not found for 192.168.43.55:49254
wss  wss-connection-manager.cpp           573  SendPacket                              00001998 00001BE8 6  07/06/2023-03:50:15.8908793 Info     Unable to locate user info, sending 192.168.43.55:49254 from process: UNKNOWN via default tunnel
wss  packet-natter.cpp                    51   NatIdOutboundTcp                        00001998 00001BE8 6  07/06/2023-03:50:15.8908949 Info     NATting outbound TCP coming from port 49254
utl  protocol-analysis.cpp                331  CalcChecksumWithOffset                  00001998 00001BE8 6  07/06/2023-03:50:15.8908965 Info     TCP/UDP checksum of even packet size: 20
wss  packet-natter.cpp                    196  NatOutgoingPacket                       00001998 00001BE8 6  07/06/2023-03:50:15.8908985 Info     NAT: 192.168.43.55:49254->203.#.#.#:80 -to- 10.245.5.241:49254, 203.#.#.#:80

Powered by Wolken Software