RDP error "0x609" after you install Cisco SRU 2019-05-24-001

Applies to: Windows Server 2019, all versionsWindows Server 2016Windows Server 2012 R2

Symptoms


Consider the following scenario:

  • You work in an environment that uses Cisco Firepower Intrusion Prevention System (IPS).
  • You install Cisco Sourcefire Rule Update (SRU) 2019-05-24-001.
  • You try to connect to a remote computer by using a remote desktop protocol (RDP) connection.

In this scenario, you can't make the RDP connection, and you receive the following error message:

 

RDP error

Note When the issue occurs, you can still access the computer by using the console.

Cause


This issue occurs because of a bad Cisco Firepower IPS rule that affects the RDP network traffic. The firewall rule was updated from Cisco by Sourcefire Rule Update (SRU) (2019-05-24-001).

In this rule update, the following signature IDs (SIDs) were added for RDP protection.

SID

Rule information

1:50186

CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)

1:50187

CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)

1:50188

CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)

1:50189

CONTENT-REPLACE Microsoft Windows require RDP client channel list prior to encryption (content-replace.rules)

Resolution


To fix this issue, install the latest Sourcefire Rule Update (SRU) from Cisco. Or, disable the problematic SIDs.

For more information, see Firepower drops RDP traffic after SRU Rule Update 2019-05-24-001.

More information


In some environments, you can change the security layer to 0 (zero), and then restart Remote Desktop Services to work around this issue.

If you capture a network trace when the issue occurs, you may find that the client is sending a handshake request, receives no server response, retransmits, and eventually disconnects because of the lack of response.