Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
1
Replies

Trustsec issues with Windows network profile

tdavis85
Level 1
Level 1

‎03-18-2019 09:22 PM - edited ‎03-18-2019 10:08 PM

Hello,

  I'm utilizing Trustsec in manual mode with the gcm-encrypt setting for layer 2 point to point encryption on some links to other sites in our network.  The issue that I'm running into is that it seems to randomly cause the Windows network profile on the end user PC's to see the connection as Unauthenticated.  We originally saw the issue on the majority of the workstations at the remote site (far end of encryption away from our Domain Controllers) when we first implemented the Trustsec encryption.  Once it was up an running, we were able to change the VLAN of the end user stations in order to get the Windows PC's to create a new network profile.  Since then, PC's will randomly go back to seeing the connection as "Unauthenticated".   The CTS stats don't show the link ever going down, failing or renegotiating since it has come up.   Has anybody seen this?  I know this isn't the ideal or intended use for the Trustsec, but we're limited on resources and this at least provides us encryption over the link.  We are not propagating the SGT, so I'm not sure why a change on one point to point link causes the end user PC's to see the network differently.  When the PC's show the connection as unauthenticated, the windows profile no longer allows for access to share drives.  In some cases, as long as the network connection is present, the users can't even open File Explorer and access their local disk drives.  As soon as you shutdown the interface leading to the PC's, Windows will allow access to File Explorer again.  The network profile corruption symptoms and indicators seem to vary, even though all PC's are running the same image build. I'm kind of at a loss of what could be causing it.  I understand that Trustsec was supposed to be integrate and work with Windows, but I thought that as long as you were using it in manual mode and not propagating the SGT, it shouldn't affect the traffic on distant switches that aren't utilizing it at all.  The Trustsec encryption is being used between a core and distribution switch, and the affected users are on access switches that are fed by the distro. 

Labels:
0 Helpful
1 Reply 1

tdavis85
Level 1
Level 1

‎04-03-2019 11:04 PM

For what it's worth I ended up figuring this out.  When we implemented Trustsec on the point to point links, we also changed the MTU's for the switches on both sides to 9000.  We were running through a DWDM network that was manged by another entity.  That network was supposed to be running 9000 for the MTU size as well.  After experiencing more issues with 802.1X failing, and other seemingly random issues, we found that we were no longer able to ping larger than 1495 packets through our links on either side of the DWDM.  We asked the managing entity about it and found that our DWDM link was only configured for an MTU of 1548. They changed it to 9000 and our problems were all resolved.  We learned the lesson learned the hard way, there is a lot more overhead with Trustsec so even if though we were running QinQ and different encryption on those same links prior, we should've verified the path MTU.

0 Helpful
Customers Also Viewed These Support Documents