Unstable connectivity in SSL Network Extender / Endpoint in Visitor Mode (port 443)

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk121738
Technical Level
Product	SSL Network Extender
Version	R77.30, R80.10
Date Created	29-Nov-2017
Last Modified	26-May-2019

Symptoms

Initial connection to SNX works fine and traffic to authorized locations go through as well. But, every now and then, interruptions in TCP connections occur, when SNX client is on Windows 10 (version 1607) with Anniversary Update, or higher.
The issue stands out the most in Remote Desktop session (RDP) that disconnects every random amount of time and then reconnects by itself after 10-30 seconds.
Kernel debug output shows:

DATE TIME;[cpu_1];[fw4_0];fwtls_rx_handler: cptls_rl_decrypt failed
OR
DATE TIME;[cpu_0];[fw4_0];fwtls_rx_handler: Wrong version 0x936b;
Endpoint Security clients that work in Visitor Mode (TCP 443 instead of UDP 4500), may exhibit the same behavior.
Windows SNX debug output file slimscv.log shows:

[cpwssl] cpSSL_fwasync_write: 1387 bytes still pending in buffer (1358). Trying to send and signaline fwasync to retry [cpwssl] cpSSL_fwasync_write: send returned -1: Operation would block

Cause

Windows 10 Anniversary update introduces a new TCP implementation.

The gateway incorrectly handles some TCP retransmissions of the new implementation, so packet loss can trigger the issue, even though the client retransmits it.

Solution

Note: To view this solution you need to Sign In .