Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
7
Replies

Can no longer RDP into one of my servers from outside my firewall

Go to solution
aaron.grussner
Level 1
Level 1

‎06-30-2010 05:50 AM - edited ‎03-11-2019 11:05 AM

I have several servers that my consultants RDP into from outside our firewall and some that are used for client demos. For some reason one of them will no longer allow anyone to RDP into it from outside the firewall but from inside the firewall it works fine. There haven't been any changes to the firewall setup in over 6 months so why would it now stop allowing access to just this one server? This is a Windows Server 2003 which is the same as all the other servers and all of them are virtual servers running on VMWare ESX servers. Thanks for any help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kevin Redmon
Cisco Employee
Cisco Employee

‎06-30-2010 06:11 AM

Aaron,

Were there any updates made to the operating system?  Is Windows firewall enabled on this device? Has any routing changes been made (on the firewall or elsewhere on the network) between the source and destination?  What is different about this RDP server versus the others that are working - # of NICs, location in the network, the port that it is plugged into, etc?  What has changed on the server/network since before it worked and now that it is not working?

Once you have answered these questions, here are a few steps that we (TAC Firewall) often start with:

1.) Turn on logging on the Firewall, preferably at the debugging level, increasing the buffer-size sufficiently to allow you to see any syslog messages created on the firewall.

logging enable

logging buffered debugging

logging buffer-size 1024000

2.) Enable packet captures on the ingress and egress of the firewall for the traffic in question:

For ASA 8.0+, the syntax for this would be:

capture capin interface match tcp host host buffer 512000

capture capin interface match tcp host  host buffer 512000

For other firewall platforms, and for how to clear/remove/download the captures, consider the following link:

https://supportforums.cisco.com/docs/DOC-1222

3.) Attempt the RDP connection through the firewall that is not working and then immediately do a 'show log | inc '

4.) Download the packet captures (in *.pcap format) and compare the inside and outside packet captures using Wireshark or other packet capture utility that supports libpcap format.

5.) If you notice that a particular packet is seen on the inside but not the outside packet captures, consider doing the following:

a.) Clear the ASP (Accelerated Security Path) drop counters:

clear asp drop

b.) capture all ASP dropped packets:

capture capasp type asp-drop all buffer 1024000

c.) Quickly run the failed session again.

d.) Immediately look at the ASP counters:

show asp drop

e.) If you notice a particular counter that has increased during the timespan, you can do a 'show capture capasp | inc ' to see if the client was the cause of that counter increasing.

You can also adjust the 'asp-drop all' keywords to be more specific if you see more than one drop counter increase.

You may also benefit from repeating steps 1-4 for a WORKING RDP session as a comparative study.  From the syslogs and the packet captures, this will assist in determining whether or not the firewall is at fault and how the firewall may be affecting the packets and/or packet flow.

Hope that helps,

Kevin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Kevin Redmon
Cisco Employee
Cisco Employee

‎06-30-2010 06:11 AM

Aaron,

Were there any updates made to the operating system?  Is Windows firewall enabled on this device? Has any routing changes been made (on the firewall or elsewhere on the network) between the source and destination?  What is different about this RDP server versus the others that are working - # of NICs, location in the network, the port that it is plugged into, etc?  What has changed on the server/network since before it worked and now that it is not working?

Once you have answered these questions, here are a few steps that we (TAC Firewall) often start with:

1.) Turn on logging on the Firewall, preferably at the debugging level, increasing the buffer-size sufficiently to allow you to see any syslog messages created on the firewall.

logging enable

logging buffered debugging

logging buffer-size 1024000

2.) Enable packet captures on the ingress and egress of the firewall for the traffic in question:

For ASA 8.0+, the syntax for this would be:

capture capin interface match tcp host host buffer 512000

capture capin interface match tcp host  host buffer 512000

For other firewall platforms, and for how to clear/remove/download the captures, consider the following link:

https://supportforums.cisco.com/docs/DOC-1222

3.) Attempt the RDP connection through the firewall that is not working and then immediately do a 'show log | inc '

4.) Download the packet captures (in *.pcap format) and compare the inside and outside packet captures using Wireshark or other packet capture utility that supports libpcap format.

5.) If you notice that a particular packet is seen on the inside but not the outside packet captures, consider doing the following:

a.) Clear the ASP (Accelerated Security Path) drop counters:

clear asp drop

b.) capture all ASP dropped packets:

capture capasp type asp-drop all buffer 1024000

c.) Quickly run the failed session again.

d.) Immediately look at the ASP counters:

show asp drop

e.) If you notice a particular counter that has increased during the timespan, you can do a 'show capture capasp | inc ' to see if the client was the cause of that counter increasing.

You can also adjust the 'asp-drop all' keywords to be more specific if you see more than one drop counter increase.

You may also benefit from repeating steps 1-4 for a WORKING RDP session as a comparative study.  From the syslogs and the packet captures, this will assist in determining whether or not the firewall is at fault and how the firewall may be affecting the packets and/or packet flow.

Hope that helps,

Kevin

0 Helpful

Go to solution
aaron.grussner
Level 1
Level 1
In response to Kevin Redmon

‎06-30-2010 06:33 AM

Thanks Kevin, this was working as of last wednesday and any updates that were applied have been wiped out since I rolled the system back to a snapshot from April and still have the same problem. This is an ASA 5510 running 7.22 which hasn't had any changes in over 6 months so I'm not really sure what may have happened to cause my problem. From inside the firewall I can RDP into the server without any problems it's just when I try to connect from outside the firewall that I can't get in. Checking from outside the firewall I get no response from port 3389 on that server but my other servers show that port 3389 is open. The windows firewall is disabled on these servers and I removed the anti-virus to make sure that wasn't causing the problem. There's only one NIC in these servers. I'll check the logging info and see what I can find. Our ISP is Comcast and they claim they haven't made any changes but I tend to never believe them from past issues I've had with them. What could Comcast have changed to cause my problem?

0 Helpful

Go to solution
Kevin Redmon
Cisco Employee
Cisco Employee
In response to aaron.grussner

‎06-30-2010 06:37 AM

Aaron,

If you do the packet captures on the outside of the ASA for the relevant traffic and don't see it arrive on the ASA, this is good fodder to take back to your ISP and let them know that the ball is in their court.

Good Luck - let us know what you find!

Best Regards,

Kevin

0 Helpful

Go to solution
aaron.grussner
Level 1
Level 1
In response to Kevin Redmon

‎06-30-2010 07:03 AM

So I checked the packets through the ASDM and tried to coneect to a working RDP server and the one I can't access. The working server I see the requests come in for the NAT IP address but on the none working server I never get any requests for that NAT IP address. So the way I see it, Comcast is blocking access to that IP address for some reason or am I wrong?

0 Helpful

Go to solution
Kevin Redmon
Cisco Employee
Cisco Employee
In response to aaron.grussner

‎06-30-2010 09:59 AM

Aaron,

Yes - the packet captures on the ASA are pretty accurate.  If you don't see it on the outside interface of the ASA, it likely isn't being delivered by your ISP.

Let me know what you find!

Best Regards,

Kevin

0 Helpful

Go to solution
aaron.grussner
Level 1
Level 1
In response to Kevin Redmon

‎06-30-2010 10:34 AM

I finally got someone at Comcast that actually understood what I was telling him and

he found a setting wrong on their router. Something about it had something to do with NAT routing and it was disabled so as soon as he enabled it the server started working again. He has no idea why or how it got changed which is typical when dealing with them but at least it's working now. Thanks for the help.

0 Helpful

Go to solution
Kevin Redmon
Cisco Employee
Cisco Employee
In response to aaron.grussner

‎06-30-2010 11:29 AM

Aaron,


Great news - thanks for the follow-up.

Have a great week.

Kevin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card