Microsoft Knowledge Base Archive

Symptoms

Consider the following scenario:

You work in an environment that uses Cisco Firepower Intrusion Prevention System (IPS).
You install Cisco Sourcefire Rule Update (SRU) 2019-05-24-001.
You try to connect to a remote computer by using a remote desktop protocol (RDP) connection.

In this scenario, you can't make the RDP connection, and you receive the following error message:

An authentication error has occurred (Code: 0x609).

4506344

Note When the issue occurs, you can still access the computer by using the console.

↑ Back to the top

Cause

This issue occurs because of a bad Cisco Firepower IPS rule that affects the RDP network traffic. The firewall rule was updated from Cisco by Sourcefire Rule Update (SRU) (2019-05-24-001).

In this rule update, the following signature IDs (SIDs) were added for RDP protection.

SID	Rule information
1:50186	CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)
1:50187	CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)
1:50188	CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)
1:50189	CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)

↑ Back to the top

Resolution

To fix this issue, install the latest Sourcefire Rule Update (SRU) from Cisco. Or, disable the problematic SIDs.

For more information, see Firepower drops RDP traffic after SRU Rule Update 2019-05-24-001.

[Asset 4513876]

Third-party contact disclaimer

Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

↑ Back to the top

More information

In some environments, you can change the security layer to 0 (zero), and then restart Remote Desktop Services to work around this issue.

If you capture a network trace when the issue occurs, you may find that the client is sending a handshake request, receives no server response, retransmits, and eventually disconnects because of the lack of response.

In client-side traces filtering for 3389, we see that the client is sending data to server but receives no response.

86913 7:16:43 AM 5/25/2019 5:46:43 PM 5/25/2019 53.2842011 (4) Client Server TCP TCP:Flags=......S., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=3943791046, Ack=0, Win=65280 ( Negotiating scale factor 0x8 ) = 65280
86939 7:16:43 AM 5/25/2019 5:46:43 PM 5/25/2019 53.3055430 (4) Client Server TCP TCP:Flags=...A...., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=3943791047, Ack=1699489116, Win=260 (scale factor 0x0) = 260
86954 7:16:43 AM 5/25/2019 5:46:43 PM 5/25/2019 53.3073533 (4) Client Server X224 X224:Connection Request
87188 7:16:43 AM 5/25/2019 5:46:43 PM 5/25/2019 53.3766266 (4) Client Server TCP TCP:Flags=...A...., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=3943791094, Ack=1699489135, Win=259 (scale factor 0x0) = 259
91338 7:16:46 AM 5/25/2019 5:46:46 PM 5/25/2019 56.6393073 (4) Client Server RDPBCGR RDPBCGR:TsFpInputPdu Encrypted
91663 7:16:46 AM 5/25/2019 5:46:46 PM 5/25/2019 56.8718679 (4) Client Server TCP TCP:[ReTransmit #91338]Flags=...AP..., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=180, Seq=3943791094 - 3943791274, Ack=1699489135, Win=259 (scale factor 0x0) = 259
91859 7:16:46 AM 5/25/2019 5:46:46 PM 5/25/2019 56.9251954 (4) Client Server RDPBCGR RDPBCGR:TsFpInputPdu Encrypted
91941 7:16:46 AM 5/25/2019 5:46:46 PM 5/25/2019 56.9446179 (4) Client Server RDPBCGR RDPBCGR:TsFpInputPdu Encrypted
91995 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 56.9672603 (4) Client Server TCP TCP:Flags=...A...., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=3943791555, Ack=1699491676, Win=260 (scale factor 0x0) = 260
92273 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.0424693 (4) Client Server RDPBCGR RDPBCGR:TsFpInputPdu Encrypted
92274 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.0424933 (4) Client Server TCP TCP:[Continuation to #92273]Flags=...A...., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=1280, Seq=3943792835 - 3943794115, Ack=1699491676, Win=260 (scale factor 0x0) = 260
92276 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.0425103 (4) Client Server TCP TCP:[Continuation to #92273]Flags=...AP..., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=287, Seq=3943794115 - 3943794402, Ack=1699491676, Win=260 (scale factor 0x0) = 260
92448 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.0646161 (4) Client Server RDPBCGR RDPBCGR:TsFpInputPdu Encrypted
92820 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.2957364 (4) Client Server TCP TCP:[ReTransmit #92448]Flags=...AP..., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=220, Seq=3943794402 - 3943794622, Ack=1699491933, Win=258 (scale factor 0x0) = 258
92900 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.3242885 (4) Client Server RDPBCGR RDPBCGR:TsFpInputPdu Encrypted
92948 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.3441113 (4) Client Server RDPBCGR RDPBCGR:TsFpInputPdu Encrypted
93020 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.3636843 (4) Client Server RDPBCGR RDPBCGR:TsFpInputPdu Encrypted
93037 7:16:47 AM 5/25/2019 5:46:47 PM 5/25/2019 57.3638890 (4) Client Server TCP TCP:Flags=...A.R.., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=3943795378, Ack=1699492253, Win=0 (scale factor 0x0) = 0

On the server side, we see that the server is responding but the packet never reaches the client.

44570    7:16:43 AM 5/25/2019   5:46:43 PM 5/25/2019   67.0422429         (0)               Server      Client      TCP        TCP: [Bad CheckSum]Flags=...A..S., SrcPort=MS WBT Server(3389), DstPort=53152, PayloadLen=0, Seq=961381381, Ack=205437240, Win=64000 ( Negotiated scale factor 0x0 ) = 64000
44578    7:16:43 AM 5/25/2019   5:46:43 PM 5/25/2019   67.0638793         (0)               Client      Server      TCP        TCP:Flags=...A...., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=205437240, Ack=961381382, Win=260
44600    7:16:43 AM 5/25/2019   5:46:43 PM 5/25/2019   67.0650291         (0)               Client      Server      X224      X224:Connection Request
44614    7:16:43 AM 5/25/2019   5:46:43 PM 5/25/2019   67.0723057         (1716)               Server      Client      X224      X224:Connection Confirm
44623    7:16:43 AM 5/25/2019   5:46:43 PM 5/25/2019   67.1345327         (0)               Client      Server      TCP        TCP:Flags=...A...., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=205437287, Ack=961381401, Win=259
45674    7:16:46 AM 5/25/2019   5:46:46 PM 5/25/2019   70.3967363         (0)               Client      Server      RDPBCGR            RDPBCGR:TsFpInputPdu Encrypted
45680    7:16:46 AM 5/25/2019   5:46:46 PM 5/25/2019   70.3989471         (1716)               Server      Client      RDPBCGR            RDPBCGR:Invalid FpOutputHeader, May Need Reassembly
45713    7:16:46 AM 5/25/2019   5:46:46 PM 5/25/2019   70.6298415         (0)               Client      Server      TCP        TCP:[ReTransmit #45674]Flags=...AP..., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=180, Seq=205437287 - 205437467, Ack=961381401, Win=259
45715    7:16:46 AM 5/25/2019   5:46:46 PM 5/25/2019   70.6298942         (0)               Server      Client      TCP        TCP: [Bad CheckSum]Flags=...A...., SrcPort=MS WBT Server(3389), DstPort=53152, PayloadLen=0, Seq=961382587, Ack=205437467, Win=63773 (scale factor 0x0) = 63773
45718    7:16:46 AM 5/25/2019   5:46:46 PM 5/25/2019   70.6379841         (0)               Server      Client      TCP        TCP:[ReTransmit #45680] [Bad CheckSum]Flags=...AP..., SrcPort=MS WBT Server(3389), DstPort=53152, PayloadLen=1186, Seq=961381401 - 961382587, Ack=205437467, Win=63773 (scale factor 0x0) = 63773
45726    7:16:46 AM 5/25/2019   5:46:46 PM 5/25/2019   70.6832932         (0)               Client      Server      RDPBCGR            RDPBCGR:TsFpInputPdu Encrypted
45736    7:16:46 AM 5/25/2019   5:46:46 PM 5/25/2019   70.6843633         (1716)               Server      Client      RDPBCGR            RDPBCGR:Invalid FpOutputHeader, May Need Reassembly
45741    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.7023718         (0)               Client      Server      RDPBCGR            RDPBCGR:TsFpInputPdu Encrypted
45752    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.7029054         (1716)               Server      Client      RDPBCGR            RDPBCGR:Invalid FpOutputHeader, May Need Reassembly
45757    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.7247111         (0)               Client      Server      TCP        TCP:Flags=...A...., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=205437748, Ack=961383942, Win=260
45771    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.8001455         (0)               Client      Server      RDPBCGR            RDPBCGR:TsFpInputPdu Encrypted
45779    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.8004476         (0)               Client      Server      TCP        TCP:[Continuation to #45771] [Bad CheckSum]Flags=...AP..., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=1567, Seq=205439028 - 205440595, Ack=961383942, Win=260
45786    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.8004761         (0)               Server      Client      TCP        TCP: [Bad CheckSum]Flags=...A...., SrcPort=MS WBT Server(3389), DstPort=53152, PayloadLen=0, Seq=961383942, Ack=205440595, Win=64000 (scale factor 0x0) = 64000
45791    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.8018238         (1716)               Server      Client      RDPBCGR            RDPBCGR:Invalid FpOutputHeader, May Need Reassembly
45796    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.8223952         (0)               Client      Server      RDPBCGR            RDPBCGR:TsFpInputPdu Encrypted
45807    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   70.8230630         (1716)               Server      Client      RDPBCGR            RDPBCGR:Invalid FpOutputHeader, May Need Reassembly
45855    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.0533193         (0)               Client      Server      TCP        TCP:[ReTransmit #45796]Flags=...AP..., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=220, Seq=205440595 - 205440815, Ack=961384199, Win=258
45857    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.0533774         (0)               Server      Client      TCP        TCP: [Bad CheckSum]Flags=...A...., SrcPort=MS WBT Server(3389), DstPort=53152, PayloadLen=0, Seq=961384331, Ack=205440815, Win=63780 (scale factor 0x0) = 63780
45861    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.0598696         (0)               Server      Client      TCP        TCP:[ReTransmit #45807] [Bad CheckSum]Flags=...AP..., SrcPort=MS WBT Server(3389), DstPort=53152, PayloadLen=132, Seq=961384199 - 961384331, Ack=205440815, Win=63780 (scale factor 0x0) = 63780
45867    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.0816786         (0)               Client      Server      RDPBCGR            RDPBCGR:TsFpInputPdu Encrypted
45877    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.0825373         (1716)               Server      Client      RDPBCGR            RDPBCGR:Invalid FpOutputHeader, May Need Reassembly
45882    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.1020869         (0)               Client      Server      RDPBCGR            RDPBCGR:TsFpInputPdu Encrypted
45895    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.1038529         (1716)               Server      Client      RDPBCGR            RDPBCGR:Invalid FpOutputHeader, May Need Reassembly
45898    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.1213487         (0)               Client      Server      RDPBCGR            RDPBCGR:TsFpInputPdu Encrypted
45899    7:16:47 AM 5/25/2019   5:46:47 PM 5/25/2019   71.1213494         (0)               Client      Server      TCP        TCP:Flags=...A.R.., SrcPort=53152, DstPort=MS WBT Server(3389), PayloadLen=0, Seq=205441571, Ack=961384519, Win=0

Filtering for the confirmation packet and the retransmit packets that are sent from server to client but that never reach the client, we see the following intermediate device.

- Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[XX-XX-XX-XX-XX-XX],SourceAddress:[XX-XX-XX-XX-XX-XX]
- MacAddress DestinationAddress: CISCO SYSTEMS, INC. [XX-XX-XX-XX-XX-XX]

↑ Back to the top

Article ID	:	4506344
Revision	:	14
Created on	:	7/22/2019
Published on	:	7/22/2019
Exists online	:	False
Views	:	1150

Microsoft KB Archive Search

RDP error "0x609" after you install Cisco SRU 2019-05-24-001

Symptoms

Cause

Resolution

More information

Applies to: