# RDP is defaulting to COTP???

## Hell-Razor

Just looking for a little bit of help here, I am clueless and have tried many, many different things so I may miss something. Ill be online most of today checking this so feel free to ask questions or hop into irc to chat.

Anyway this is the situation: I can VPN into my network and authenticate just fine. But as soon as I try to RDP into my desktop, the firewall shoots me down. I am going into port 3389 (rdp) and have tried rdesktop-1.8.4-r1, remmina-1.3.2, freerdp-2.0.0_rc4. If I poke a hole to allow my traffic, the traffic is identified as COTP and not RDP. The firewall is shooting me down on the VERY FIRST packet instead of trying to identify what the protocol is -- that is the reason why I am getting denied. I dont see any malformed packets in tcpdump but upon inspection of a working machine pcap and this machine pcap the only obvious difference is the header length (which may be enough). Many other people are also using Remmina, not all different versions, some are using 1.3.2 as well. If I go to their machine, I can get into my desktop just fine. most of them are using Ubuntu and I have spent a lot of time rolling versions back with no luck.

Here is my emerge --info: https://paste.pound-python.org/show/16LSzKMEuc7pEvs6xhHn/

Here is my kernel config: https://paste.pound-python.org/show/aWmnUAJPSDjVmPxLFpag/

----------

## Hell-Razor

Been looking pretty hard into this and still cant find a reason to whats going on.

----------

## Hu

What identifies the traffic as COTP?  If you enable debugging, what does it show for why it classifies this as COTP?  What does it show for why it classifies other people's traffic as RDP?  Have you tried replaying the opening handshake of the good client from your machine to a target RDP server to see how the firewall classifies that?

----------

## Hell-Razor

 *Hu wrote:*   

> What identifies the traffic as COTP?  If you enable debugging, what does it show for why it classifies this as COTP?  What does it show for why it classifies other people's traffic as RDP?  Have you tried replaying the opening handshake of the good client from your machine to a target RDP server to see how the firewall classifies that?

 

Once I poke a hole in the firewall and the handshake is allowed to complete, the packet is then identified as "cotp".

Debugging in what way?

I have tested several other os distributions, the firewall sees all them as rdp.

I tried replaying everything, something in Gentoo is skewing the first packet to the point where the firewall thinks its not rdp. What that is exactly I do not know, which is why I am trying to reach out here.

----------

## Hu

Yes, I understood from your first post that some as-yet-unidentified firewall is misclassifying this traffic.  What firewall is this?  When you enable debugging on that firewall, what does it say about its decisions?

----------

## Hell-Razor

 *Hu wrote:*   

> Yes, I understood from your first post that some as-yet-unidentified firewall is misclassifying this traffic.  What firewall is this?  When you enable debugging on that firewall, what does it say about its decisions?

  Its a palo alto firewall, and the debug just says unknown application.

Whats strange though is I dont think its a firewall problem as people that also use openconnect and remmina (what I am using) are getting through.

----------

## Hu

How can it not be a firewall problem, when the firewall is classifying similar applications differently, then failing or allowing them based on its classifications?  You may need to increase debug verbosity and trace its classifier in more detail to see where exactly it decides that one stream is RDP and the other is COTP.

----------

## Hell-Razor

 *Hu wrote:*   

> How can it not be a firewall problem, when the firewall is classifying similar applications differently, then failing or allowing them based on its classifications?  You may need to increase debug verbosity and trace its classifier in more detail to see where exactly it decides that one stream is RDP and the other is COTP.

  Its not a firewall problem because the firewall is doing its job, not allowing a policy or rule we dont allow. If I spin up a VM of Ubuntu I can get through on this machine AND of the 30+ people getting through, none are having this problem.

----------

## Hu

Is your policy not to allow RDP?  If so, then what are you trying to achieve here?  If not, then it looks to be a firewall problem: it is classifying your RDP traffic as non-RDP, then blocking you for using what it things is not RDP.  I thought the point of this thread was to get the firewall to recognize your traffic as RDP so that it would allow you in.

----------

## Hell-Razor

 *Hu wrote:*   

> Is your policy not to allow RDP?  If so, then what are you trying to achieve here?  If not, then it looks to be a firewall problem: it is classifying your RDP traffic as non-RDP, then blocking you for using what it things is not RDP.  I thought the point of this thread was to get the firewall to recognize your traffic as RDP so that it would allow you in.

 

Yes, the policy is allowing RDP. I am trying to figure out what is it on Gentoo that is skewing the packet when the same VPN and RDP work on several other Linux distributions. The firewall is working as it's supposed to, something on my system is off.

Again if I allow COTP then I can get through. I let the rule go, logging for almost two weeks and my box is the only one hitting it from hundreds of others. Gentoo has something somewhere forcing me protocol to COTP.

----------

