https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182630#M4898 <P>Maybe try newest VPN client to see if it makes any difference. Only other reason I can think of would be maybe some 3rd party software possibly causing this. Other than that, maybe engage TAC, but not real sure how much they can do either, considering its definitely not the FW issue.</P> <P>Andy</P> Wed, 31 May 2023 01:21:37 GMT the_rock 2023-05-31T01:21:37Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182580#M4895 <P>Hi,</P><P>we have about 100 VPN users. Some use CP mobile, some SecureRemote.</P><P>Only one user have some problem. On his site, he doesn't have any problems. But in log file, there is record every 20-40sec. Copy is down below.</P><P>I did try to fresh install client and also tries his credentials on new PC, but problem remains.</P><P>Why is his computer try to connect to DC every few seconds? He only use VPN for RDP, but even if he only establishes VPN without RDP connection, logs are full with same message as copy of log bellow.</P><P>Did try with win10 and win11. All other users doesn't create logs like one bellow</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><BR />Interface Direction: inbound</P><P>Id Generated By Indexer: false<BR />First: true<BR />Sequencenum: 1<BR />Source Zone: External<BR />Destination Zone: Internal<BR />Service ID: domain-udp<BR />Source: 10.18.252.27<BR />Source Port: 58782<BR />Destination: 10.18.205.35<BR />Destination Port: 53<BR />IP Protocol: 17<BR />Scheme: IKE<BR />Methods: ESP: 3DES + SHA1<BR />VPN Peer Gateway: 10.18.252.27<BR />Community: RemoteAccess<BR />VPN Feature: VPN<BR />Action: Decrypt<BR />Type: Connection<BR />Blade: VPN<BR />Service: UDP/53<BR />Product Family: Access<BR />Logid: 0<BR />Access Rule Name: VPN Support<BR />Description: Decrypted in community RemoteAccess</P> Tue, 30 May 2023 17:39:16 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182580#M4895 WhOPP 2023-05-30T17:39:16Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182586#M4896 <P>If I were you, since you say its just 1 single user, I would maybe have them delete/re-create VPN site, if that fails, have them reinstall the vpn client (maybe try latest one, E87.30)</P> <P>Cheers,</P> <P>Andy</P> Tue, 30 May 2023 17:47:47 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182586#M4896 the_rock 2023-05-30T17:47:47Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182598#M4897 <P>Hi, thanks for replay</P><P>I did delete user and create new one with new certificate. Also reinstalled client on his PC and also try with new clean VM but results are same.</P><P>All users use same client</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&amp;eventSubmit_doGetdcdetails=&amp;fileid=118725" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&amp;eventSubmit_doGetdcdetails=&amp;fileid=118725</A></P><P>FW is R81.10</P><P>&nbsp;</P> Tue, 30 May 2023 18:09:24 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182598#M4897 WhOPP 2023-05-30T18:09:24Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182630#M4898 <P>Maybe try newest VPN client to see if it makes any difference. Only other reason I can think of would be maybe some 3rd party software possibly causing this. Other than that, maybe engage TAC, but not real sure how much they can do either, considering its definitely not the FW issue.</P> <P>Andy</P> Wed, 31 May 2023 01:21:37 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182630#M4898 the_rock 2023-05-31T01:21:37Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182648#M4899 <P>The client is dowing DNS requests. I guess it is perfectly normal.</P> Wed, 31 May 2023 08:21:45 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/domain-udp-Decrypted-in-community-RemoteAccess/m-p/182648#M4899 _Val_ 2023-05-31T08:21:45Z