workspaces-issues
workspaces-issues copied to clipboard
kasmtech
[Bug] - RDP-HTTPS-Gateway sends keepalives for sessions hosted on RDP-GATEWAY causing validation errors
Describe the bug When using RDP local client mode through the RDP HTTPS Gateway, the keepalive requests are sent by the RDP-HTTPS-GATEWAY container but the session is registered on the RDP-GATEWAY container. This causes continuous validation errors in the Kasm API logs. The sessions remain stable and functional, but the logs are flooded with error messages every 30 seconds.
To Reproduce Steps to reproduce the behavior:
- Install Kasm Workspaces 1.17.0 (single server):
kasm_release/install.sh
--accept-eula
--swap-size 8192
--admin-password {{ admin_password }}
--user-password {{ user_password }}
--db-password {{ db_password }}
--redis-password {{ redis_password }}
-L 8443
- Configure external reverse proxy. Caddy in our case:
kasm.example.com {
reverse_proxy proxy:8443 {
flush_interval -1
stream_timeout 24h
stream_close_delay 10m
lb_policy ip_hash
transport http {
tls_insecure_skip_verify
dial_timeout 10s
response_header_timeout 30s
keepalive 60m
keepalive_interval 10s
keepalive_idle_conns_per_host 100
}
header_up X-Forwarded-Port "443"
header_up X-Forwarded-Proto {scheme}
header_up Host {host}
}
}
- Zone settings:
- Proxy Port: 0
- Upstream Auth Address: proxy
- Restrict RDP Client IP Address: disabled
- Crate RDP-Workspace, Single Server, Kasm Client
Expected behavior keepalive requests should be accepted regardless of which Connection Proxy component sends them, as long as they belong to the same RDP connection chain (RDP-HTTPS-GATEWAY → RDP-GATEWAY → Target).
Workspaces Version 1.17.0.7f020d
Workspaces Installation Method Single Server
Client Browser (please complete the following information): not applicable
Workspace Server Information (please provide the output of the following commands):
-
uname -a:Linux remote 6.1.0-40-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.153-1 (2025-09-20) x86_64 GNU/Linux -
cat /etc/os-release: Debian GNU/Linux 12 (bookworm) -
sudo docker info:
Client: Docker Engine - Community
Version: 28.5.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.29.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.5.0
Path: /usr/local/lib/docker/cli-plugins/docker-compose
Server:
Containers: 11
Running: 11
Paused: 0
Stopped: 0
Images: 11
Server Version: 28.5.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan kasmweb/sidecar:1.2 macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b98a3aace656320842a23f4a392a33f46af97866
runc version: v1.3.0-0-g4ca628d1
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.1.0-40-amd64
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.62GiB
Name: remote
ID: a283bbdf-64be-4a54-9dfa-b2b1f79d46c4
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
-
sudo docker ps | grep kasm:
98ce970c4d58 caddy "caddy run --config …" 8 days ago Up 37 minutes 0.0.0.0:80->80/tcp, [::]:80->80/tcp, 0.0.0.0:443->443/tcp, [::]:443->443/tcp, 443/udp, 2019/tcp kasm_caddy
f34aee5ad56f kasmweb/proxy:1.17.0 "/docker-entrypoint.…" 8 days ago Up 36 minutes 80/tcp, 0.0.0.0:8443->8443/tcp, [::]:8443->8443/tcp kasm_proxy
f9728b4806ff kasmweb/rdp-https-gateway:1.17.0 "/opt/rdpgw/rdpgw" 8 days ago Up 36 minutes (healthy) kasm_rdp_https_gateway
8e3eaa7dce58 kasmweb/agent:1.17.0 "python3 /src/Provis…" 8 days ago Up 37 minutes (healthy) 4444/tcp kasm_agent
c0c255aab18a kasmweb/kasm-guac:1.17.0 "/dockerentrypoint.sh" 8 days ago Up 37 minutes (healthy) kasm_guac
0112879d379b kasmweb/manager:1.17.0 "python3 /src/api_se…" 8 days ago Up 37 minutes (healthy) 8181/tcp kasm_manager
dbcfa3990b36 kasmweb/rdp-gateway:1.17.0 "/start.sh" 8 days ago Up 36 minutes (healthy) 0.0.0.0:3389->3389/tcp, [::]:3389->3389/tcp kasm_rdp_gateway
18da94da22a1 kasmweb/share:1.17.0 "python3 /src/api_se…" 8 days ago Up 37 minutes (healthy) 8182/tcp kasm_share
613cd905f527 redis:5-alpine "docker-entrypoint.s…" 8 days ago Up 37 minutes 6379/tcp kasm_redis
7f5566899b45 kasmweb/api:1.17.0 "/bin/sh -c /usr/bin…" 8 days ago Up 36 minutes (healthy) 8080/tcp kasm_api
0089a6a4e5b5 kasmweb/postgres:1.17.0 "docker-entrypoint.s…" 8 days ago Up 37 minutes (healthy) 5432/tcp kasm_db
Additional context Proxies:
connection_proxy_id | connection_proxy_type | auth_token | server_port | server_address | proxy_port | first_reported | last_reported | operational_status | zone_id
--------------------------------------+-----------------------+------------+-------------+----------------+------------+----------------------------+----------------------------+--------------------+--------------------------------------
3756c18c-9e2a-4cf3-8842-9a370d3a2f55 | RDP-HTTPS-GATEWAY | | 8443 | proxy | | 2025-10-15 16:32:04.471724 | 2025-10-24 10:11:27.301874 | running | 5e4ea78f-9f01-45cb-9149-b242e4324f5b
4b224116-9b17-48dc-a304-f05ec97f61d3 | RDP-GATEWAY | | 8443 | proxy | 3389 | 2025-10-15 16:32:26.168971 | 2025-10-24 10:11:36.538731 | running | 5e4ea78f-9f01-45cb-9149-b242e4324f5b
fd0944a2-97d7-468a-8b7a-39a39678131f | GUAC | | 8443 | proxy | | 2025-10-15 16:31:59.755977 | 2025-10-24 10:11:38.129722 | running | 5e4ea78f-9f01-45cb-9149-b242e4324f5b
Logs:
/opt/kasm/current/log/api_server.log.3:2025-10-22 15:16:30,255 [ERROR] client_api_server: A connection proxy: 3756c18c-9e2a-4cf3-8842-9a370d3a2f55 other than the one hosting the Kasm session: 4b224116-9b17-48dc-a304-f05ec97f61d3 has called keepalive.
/opt/kasm/current/log/api_server.log.3:2025-10-22 15:17:00,266 [ERROR] client_api_server: A connection proxy: 3756c18c-9e2a-4cf3-8842-9a370d3a2f55 other than the one hosting the Kasm session: 4b224116-9b17-48dc-a304-f05ec97f61d3 has called keepalive.
/opt/kasm/current/log/api_server.log.3:2025-10-22 15:17:30,257 [ERROR] client_api_server: A connection proxy: 3756c18c-9e2a-4cf3-8842-9a370d3a2f55 other than the one hosting the Kasm session: 4b224116-9b17-48dc-a304-f05ec97f61d3 has called keepalive.
/opt/kasm/current/log/api_server.log.3:2025-10-22 15:18:00,263 [ERROR] client_api_server: A connection proxy: 3756c18c-9e2a-4cf3-8842-9a370d3a2f55 other than the one hosting the Kasm session: 4b224116-9b17-48dc-a304-f05ec97f61d3 has called keepalive.
/opt/kasm/current/log/api_server.log.3:2025-10-22 15:18:30,257 [ERROR] client_api_server: A connection proxy: 3756c18c-9e2a-4cf3-8842-9a370d3a2f55 other than the one hosting the Kasm session: 4b224116-9b17-48dc-a304-f05ec97f61d3 has called keepalive.
/opt/kasm/current/log/api_server.log.3:2025-10-22 15:19:00,263 [ERROR] client_api_server: A connection proxy: 3756c18c-9e2a-4cf3-8842-9a370d3a2f55 other than the one hosting the Kasm session: 4b224116-9b17-48dc-a304-f05ec97f61d3 has called keepalive.
Hi @straeb,
Thank you for bringing this to our attention. We were able to reproduce this issue. It appears this also occurs without an external reverse proxy. We've added this to our internal bug tracker so it can be addressed.
I have the same ( caddy reverse proxy, running on port 443. KASM single server install on a seperate VM also running on port 443. If you need testing, my environment is not in production yet, testing should be easy to do ;)
