I have inherited the support of an ASA5520 running 8.0(3)12 code and I believe I have a pretty simple question here that I haven't been able to figure out on my own. I have a few users that connect to the box via IPSEC VPN client connections. They want to be able to leave up a RDP based connection, for monitoring purposes, for a most of the day, but thier RDP connection keeps getting discounnted after a few hours. The VPN connection never gets disconnected, just the RDP session running through it. I have another box running 8.0(4) code and they can leave up the RDP sessions as long as they like without getting disconnected from the server(s). I have compared the configs of both boxes and don't see any glsring differences in regards to the configuration that would cuase the RDP sessions to either to stay up or be disconnected after an inactivity type scenario.
Would someone here be able to give me some idea of what to look for in regards to identifying the timer that is disconnecting the RDP session after a period of time. Whatever feed back provided would be greatly appreciated.
The behaviour on version 8.0.4 is more a bug than a feature. If there is no traffic going through the RDP session, the firewall should really tear down the connection hence the RDP session is disconnected. This is the TCP proxy behaviour where the idle timeout kick in so attacker can't launch an attack using the same session if it is left idle for too long.
If you would need to keep the RDP session up for a long time, I would suggest the following 2 options:
1) Run a probe/continuous ping through the RDP session to keep the RDP up.
2) Configure TCP idle timeout on the ASA specific for only the RDP session to be zero, ie: no idle timeout, that would keep the RDP session up, but bare in mind that that is keeping the resource/connection up on the ASA even though it is not being used. Depending on how many RDP session you have, and how busy your ASA is, the longer the session is kept even though it is not being used, the more resources it is used on the ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...