10-21-2014 01:05 AM
Hi ,
One of our client is facing an issue with MS Remote Desktop when they connect from VPN. The Remote desktop to the same machine works perfect from inside the network , but once connect through VPN and try to access the same machine on port 3389 , the remote desktop opens , but freeze for few seconds then worked again , and this behavior continues from time to time ..
on the ASA , I'm getting the following message when the remote access VPN user open the remote desktop to a local machine :
vpn user ip : 172.16.10.9
local machine ip : 10.10.52.20
6|Oct 20 2014|09:11:05|106015|172.16.10.9|59627|10.10.52.20|3389|Deny TCP (no connection) from 172.16.10.9/59627 to 10.10.52.20/3389 flags FIN ACK on interface outside
at the beginning I suspect the IPS , so I put in promiscuous mode , I could not find any problem with the VPN configuration , it has been working since long time , remote desktop also was working fine till last week , when the problem started.
I did some research, most of the people facing similar issue end up with some changes on remote desktop application not with the firewall or IPS .
Any idea about what can be done.
ASA version 8.4(7)
10-21-2014 01:35 AM
First time I saw this problem this was the culpritt
on the server
1. Start > Run > Regedit {enter}
2. Navigate to HKLM \ System \ Current Control Set \ Services \ TCPIP\ Parameters
3. In the right hand pane, Right Click > New > DWORD
4. Call it EnablePMTUBHDetect set its hex value to 1
5. Reboot the server
Occasionally you may need to set this on the client as well, let us know if that sorts the problem
Next Time I saw it this was the problem
Cannot Remote Desktop over VPN connection
Pete
10-21-2014 01:54 AM
Thanks Pete,
I'm going to try your suggestion , but can you please give some more information about this change in the registry ...
10-21-2014 10:37 PM
hi Pete
I tried your suggestion but it did not help , but finally I found a solution !!
I noticed another log message on the ASA ,
|Oct 20 2014|09:06:04|302014|172.16.10.9|59438|10.10.52.20|3389|Teardown TCP connection 2284151 for outside:172.16.10.9/59438(LOCAL\100515) to inside:10.10.52.20/3389 duration 0:00:45 bytes 613815 Flow closed by inspection (100515)
So RDP session was not hanging for 5-10 seconds , the flow was closed and re-established on the ASA , but because the RDP is configured to timeout after 20 seconds , the end user will not lose the RDP session , and it looks like it hang for 10 second.
Now , what inspection can cause RDP session flow to be closed !! I have only the default inspection on the ASA ? I did some research , and found that the ASA handle RDP the same way it handle ICMP , how much true is that , I’m not sure .another finding is that ,ASA has a default TCP inspection policy that may cause this kind of behavior , anyway , I have inspect icmp under the class inspection_default , so I remove it , after that the RDP becomes stable ..
10-23-2014 03:58 AM
Not seen that before? you can alter timeout for RDP traffic let me have a think...........
access-list ACL-RDP-INSPECT permit tcp any host 10.10.52.20 eq 3389
!
class-map CM-RDP-INSPECT
match access-list ACL-RDP-INSPECT
!
policy-map PM-RDP-TIMEOUT
class CM-RDP-INSPECT
set connection timeout tcp 0:09:00 reset
!
service-policy PM-RDP-TIMEOUT interface outside
That sets it to 9 minutes (change accordingly)
Pete
I got that from my post here
10-23-2014 05:12 AM
See http://technet.microsoft.com/en-us/library/cc960465.aspx
Why that fixed it for me before - I don't know, if memory serves Microsoft Third line support did it to fix the problem
PL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide