Network Access Enforcement - Can't connect to VPN!

We’ve been running a Watchguard M390 for a couple of years now, and recently invested in EDR Core licensing to make use of Network Access Enforcement.

This has all gone swimmingly and has been working for some time - but over the last few weeks, we’re gradually seeing users end up in a quarantined state for approx 12-15 seconds before being forcibly disconnected from the VPN. This is currently affecting 5 users out of 30, and seems to “just happen”.

I’ve confirmed the following:
VPN up to date, agent up to date, knowledge up to date, Windows up to date.

I’ve attempted:
Reinstallations of agent, reinstallation of VPN client. Completely unrestricting all ‘Panda’ services in the firewall by executable name (full ingress/egress unrestricted), turning off the firewall. Turning off Defender.

Reviewing the M390 firewall logs on a connection, the error I am seeing is “Failed to meet TDR Host Sensor Enforcement Requirement: Read from the Host Sensor Failed”. In the brief window of the VPN connection, I am seeing the bytes written count increase, but the bytes read gets to about 3000 and then stops there before it disconnects. This indicates that the Watchguard genuinely can’t see this device - but I don’t quite understand what could be limiting this?

I’ve had a support case open with WG for over a week now, but this is quickly becoming more critical and I’ve run out of things that I can think of to check on my end. Has anyone experienced a similar issue before, or have any suggestions on any Windows components that may be causing a conflict? The only Antivirus/firewall is the Watchguard on-prem, and Windows Firewall/Windows Defender.

Did you reinstall the Host Sensors?

The latest round of endpoint updates are being particularly problematic. We’re seeing multiple reboots required, often with no notice to the user one is pending. Ensure everything is healthy in the EDR dashboard and no devices have pending reboots. Reboot devices anyway for good measure.

Also, psinfo is your best friend. Run the URL checker and make sure nothing is blocked. Some errors may be reported but don’t necessarily mean there’s a problem. Use your best judgement.

May I ask how you resolved this ??

Yes, sorry - both the agent and the host sensors.

Hi

In my instance it was a local Windows firewall - each end user device requires to communicate from the Firebox to the Client Device on TCP port 33000.

this was allowed within watchguard, but not within the endpoint firewall.

We do occasionally see periodic issues with it still - exactly the same error, but this is instead caused by:

1. The EDR service takes a little while to start up after login. I now advise users to wait 2-5 minutes after login before attempting a VPN connection.

2. If an update to the EDR fails, it can get stuck in an update failure loop… and will fail the compliance checks on connection. This only happens rarely (1 device a quarter out of 50, perhaps?) - but a reinstall of the agent + EDR core component usually fixes this.