cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5733
Views
0
Helpful
6
Replies

ASA RDP Disconnects intermittently

workorderps
Level 1
Level 1

Hi, searching hi & low, regarding intermittent disconnects for RDP sessions.

Am interested in any pointers.

Situation is following: Multiple RDP servers behind ASA, sometimes a user, and sometimes all users to one server from outside our ASA suffer intermittent disconnects (once a day, once a week, couple times a day etc). We have never noticed this when connected for many hours within the internal network. So I rule out servers, NICs and Switches, and try to concentrate fault finding to the ASA as a common bottleneck. Inbound connection is fibre, full duplex, no packet loss according to our national ISP, so we have no known issues with this connectivity.

ASA config is pretty much straightforward, allowing RDP through to dedicated servers. Haven't touched timeout, nor inspect.

What would YOU test or look for first in fault finding this? What should I look for in the syslogs? Could the timeouts spook us, or MTU, or random PAT conflicts - or no way that it's the ASA that is the trouble ???

best regards / Peter Strömblad / PraktIT - Sweden

6 Replies 6

tostevens
Level 1
Level 1

Take a very careful look at the network stats on the ASA's INSIDE & OUTSIDE ethernet network connections. I have seen this issue caused by intermittent ethernet errors on 1 of the interfaces, could be duplex issue, bad cable, faulty interface on a switch or router, could also be something like a 62 micron fiber patch cable being used in a 50 micron interface or CAT 5 or 5e patch cable in a gig interface.

Thx, for the input. We've had the problem before our fibre connection (justa month old).

Here's a listing of the current stats:

Result of the command: "show interface"

Interface Vlan1 "inside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 001a.e2f0.286b, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
6007191 packets input, 2395218894 bytes
5643873 packets output, 1954769108 bytes
33565 packets dropped
      1 minute input rate 38 pkts/sec,  38079 bytes/sec
      1 minute output rate 30 pkts/sec,  4904 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 15 pkts/sec,  10450 bytes/sec
      5 minute output rate 13 pkts/sec,  2471 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 001a.e2f0.286b, MTU 1500
IP address 62.20.118.66, subnet mask 255.255.255.192
  Traffic Statistics for "outside":
5583229 packets input, 2605820516 bytes
6036436 packets output, 2524059825 bytes
90813 packets dropped
      1 minute input rate 31 pkts/sec,  5005 bytes/sec
      1 minute output rate 38 pkts/sec,  38121 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 14 pkts/sec,  2589 bytes/sec
      5 minute output rate 15 pkts/sec,  10589 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan3 "dmz", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 001a.e2f0.286b, MTU 1500
IP address 10.0.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "dmz":
39080 packets input, 18225374 bytes
36364 packets output, 11303979 bytes
286 packets dropped
      1 minute input rate 0 pkts/sec,  1 bytes/sec
      1 minute output rate 0 pkts/sec,  1 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  153 bytes/sec
      5 minute output rate 0 pkts/sec,  72 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan13 "Customers", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: Leased Line Customers
MAC address 001a.e2f0.286b, MTU 1500
IP address 192.168.5.1, subnet mask 255.255.255.0
  Traffic Statistics for "Customers":
618885 packets input, 108307909 bytes
938810 packets output, 938069579 bytes
13798 packets dropped
      1 minute input rate 0 pkts/sec,  13 bytes/sec
      1 minute output rate 0 pkts/sec,  8 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  23 bytes/sec
      5 minute output rate 0 pkts/sec,  12 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001a.e2f0.2863, MTU not set
IP address unassigned
5591311 packets input, 2717269985 bytes, 0 no buffer
Received 40202 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
8177 switch ingress policy drops
6036359 packets output, 2636347937 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001a.e2f0.2864, MTU not set
IP address unassigned
1716264 packets input, 1476457557 bytes, 0 no buffer
Received 1332 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
1317939 packets output, 153754111 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/2 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001a.e2f0.2865, MTU not set
IP address unassigned
5950824 packets input, 2260940166 bytes, 0 no buffer
Received 35112 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
9 switch ingress policy drops
6025744 packets output, 3146147194 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/3 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001a.e2f0.2866, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/4 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001a.e2f0.2867, MTU not set
IP address unassigned
40480 packets input, 19213423 bytes, 0 no buffer
Received 665 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1400 switch ingress policy drops
36364 packets output, 12031710 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/5 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001a.e2f0.2868, MTU not set
IP address unassigned
625653 packets input, 122002656 bytes, 0 no buffer
Received 4362 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
6764 switch ingress policy drops
938810 packets output, 955095875 bytes, 0 underruns
7212 output errors, 5001 collisions, 0 interface resets
0 late collisions, 1785 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/6 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001a.e2f0.2869, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/7 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001a.e2f0.286a, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops

I am not sure if you have TD enabled (Thread detection) if you do pls. remove it.

sh run threat

copy and paste all the lines with a "no" in front of it.

Give that a shot. Besides that we need to see the logs (debug level) when the connection fails and the next thing would be to collect captures ingress and egress and see what might be happening.

-KS

I looked through the output, there are a lot of dropped packets but that could be normal. 1 thing I would recommend is to bag all of the auto interface configs. Basically change every interface that connects a router port to a firewall port and vice a versa to fixed 100 full duplex. Not sure if this is your issue but I have had a similar issue to yours and that was the fix.

What do you mean by "bag"?

I compared the stats against several other ASA we have installed at client locations. They all signal dropped packets when an ACL triggers, so the more attacks, (or harder rules) - the more drops. In none of the cases except one of the interfaces above, are there collissions - and no interfaces have any physical errors reported.

What is your opinion about the advice at:

http://www.checkthenetwork.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practices%20for%20Firewall%20Deployment%201.asp

especially regarding the sentence:

Best practice – Start with nat-control and avoid the potential of breaking existing data flows by entering a NAT command.

?? - Thanks for all insights - I'll do serious efforts this weekend, so any pointers on what to look for - much appreciated.

Cheers / Peter

by bag I mean get rid of, sorry. I personally have never had nat control be an issue for me, but it sounds reasonable enough. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: