I've been troubleshooting this clientless SSL vpn issue now for what seems like years. It's hit or miss and I can never reproduce it. Problem is, remote users using the clientless ssl with rdp plugin to access terminal servers randomly get disconnected.
From what I've gathered, it appears that they're working along and things freeze and shortly there after they've been disconnected. They have to close everything and relogin to the asa ssl and restart the terminal server session which picks up right where they left off.
It doesn't seem to affect all remote users everytime. Sometimes it's two users or just one, but never all users.
We've got a 3MB internet pipe into it and our bandwidth utilization is minimal, averaging maybe 15% on a normal day.
I can't see any errors on the asa and no errors on the client. It's like the asa has simply closed the ssl tunnel and that's it. Their internet still functions just fine when this happens, so I know it's not their providers issue and of course our internet for the company never misses a beat.
I've got the terminal server sessions color knocked as low as it'll go to help with the screen refresh rate, but it doesn't seem to help much. An example from just today, I've had a single user get disconnected three times in a matter of 30 minutes. However, he had been logged on and working for 3.5 hours prior to that just fine. No idle timeouts are taking affect either.
Anyone experienced this or something similar before and actually found a resolution or for sure cause?
We had a similar issue with a IOS SSL VPN gateway, it seemed we were missing the 'service tcp-keepalives ..' command on the router. We had dozens of stuck connections on the router, putting the command solved a similar issue for us. However I doubt that would be the case on the ASA (just mentioning this to provide hints in the right direction, perhaps leading you to a solution).
It could also be related to MTU issues, did you check that?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :