I have a hard time to find a reason for RDP dropping in the AnyConnect remote access VPN.
In end of June we upgraded our 5585-X to OS 9.1(2) to use with ASA CX after that some users have complaind about problems with the VPN serivice terminated on the same box.
At first, some weeks after the upgrad, you could not use RDP via AnyConnect VPN but if they tried via the old Citrix solution it worked.
Same for a web editing solution called Litium, when trying to publish a change the page were just spining.
The CX module got turned of but the VPN problem remained. Beqause of change stop and general holliday it was decided to wait until now.
Now, without any known changes, Litium-editing works and RDP works better. RDP still freezes and restart the connection after time out.
Before you could not work via RDP and now its more of an big annoyances with RDP freezing all the time. And I have noticed that file copy can freeze some times.
The VPN seems stable cant see that there is a problem the tunnel it self, just some traffic inside.
I have not heard anything about these problems before the upgrade, but I can still not prove that it's beqause of the upgrade (or not).
I have done capture on the ASA inside interface, on the server on the host inside tunnel and outside tunnel.
I can see a pause and then a RST, RDP starts again. In another capture (not in all) I can see TCP retransmissions and TCPACKed unseen segment.
Could this be MTU? With RDP using the DF bit from the server.
MTU is default to 1406
Any good tip for troubleshooting appreciated. :-)
I have tried som diffrent things here.
I have lowered MTU to 1200, no change.
I have tried diffrent combination of turning of compression, enabe df-bit-ignore and turning DTLS off.
I cant see any diffrence on the connection, tunnel is upp traffic inside suffers from some sort of delay.
And I cant see anything special in the log.
Any ASP drop I could look for here?
I still have a TAC case going on this so no solution yet.
Latest test I did, today, were to run RDP both inside and outside the VPN tunnel from the same client and capture the traffic. Outside did work well, inside had the same problem as before.
I have done diffrent tests in the infrastructure to rule out stuff like ESXi, access swiches, core etc, left is only the ASA.
I also did try a 'downgrade' to 9.0(3) with a later reales date then 9.1(2) but with the same result.
Sent from Cisco Technical Support iPhone App
I also experienced this issue when upgrading to 9.0.3.
I have frequent random RDP disconnects. And no amount of MTU massaging will fix it.
After some investigation, it looks like RDP 7 packets can't be fragmented and ASA 9.0.3 somehow tries to fragment the packets.
This issue should not be encountered with RDP8, however it is unfeasible to upgrade all our Windows desktop/ servers to RDP 8, so I rolled back to 9.0.1 which is the latest version I know that does not exhibit this issue
Did you only see this on RDP?
I see drops on other applications as well. Fex copying files from mapped drives dosent work well.
Well, everyone here RDPs to their VM and then do their work from there.
And most of the work is just browser based, and this seemed ok.
However, bear in mind that the RDP sessions disconnected every 5 minutes or so and at the end no one wanted to work.
So I am not too sure if others things are affected.
I suspected that applications that are MTU sensitive with unfragmentable packets get affected. Perhaps the code reduces the maximum MTU or tries to fragment packets erroneously.
I downgraded to 9.0.1 (which we;ve been running for months) and no issues so far
Good news, Cisco TAC has confirmed the error and proposed a fix.
Hope you are doing great!
I have good news, I was able to reproduce the issue in a lab and it seems that those versions are affected by CSCui40499, this bug is a duplicate and has been superseded by CSCuh13899. Those bugs share the same root cause even though the symptoms are different.
Basically CSCui40499 is a broken inspection that will close TCP connections like RDP. Currently CSCui40499 is not visible for the public and I cannot tell you more about it for confidentiality reasons, I hope you understand.
Another good news is that these bugs are fixed in the interim image
9.1.2(8) that was recently released.
Hope this helps