First time I saw this problem

Ali Koussan · ‎10-21-2014

Hi ,

One of our client is facing an issue with MS Remote Desktop when they connect from VPN. The Remote desktop to the same machine works perfect from inside the network , but once connect through VPN and try to access the same machine on port 3389 , the remote desktop opens , but freeze for few seconds then worked again , and this behavior continues from time to time ..

on the ASA , I'm getting the following message when the remote access VPN user open the remote desktop to a local machine :

vpn user ip : 172.16.10.9

local machine ip : 10.10.52.20

6|Oct 20 2014|09:11:05|106015|172.16.10.9|59627|10.10.52.20|3389|Deny TCP (no connection) from 172.16.10.9/59627 to 10.10.52.20/3389 flags FIN ACK on interface outside

at the beginning I suspect the IPS , so I put in promiscuous mode , I could not find any problem with the VPN configuration , it has been working since long time , remote desktop also was working fine till last week , when the problem started.

I did some research, most of the people facing similar issue end up with some changes on remote desktop application not with the firewall or IPS .

Any idea about what can be done.

ASA version 8.4(7)

Peter Long · ‎10-21-2014

First time I saw this problem this was the culpritt

on the server

1. Start > Run > Regedit {enter}
2. Navigate to HKLM \ System \ Current Control Set \ Services \ TCPIP\ Parameters
3. In the right hand pane, Right Click > New > DWORD
4. Call it EnablePMTUBHDetect set its hex value to 1
5. Reboot the server

Occasionally you may need to set this on the client as well, let us know if that sorts the problem

Next Time I saw it this was the problem

Cannot Remote Desktop over VPN connection

Pete

Ali Koussan · ‎10-21-2014

Thanks Pete,

I'm going to try your suggestion , but can you please give some more information about this change in the registry ...

Ali Koussan · ‎10-21-2014

hi Pete

I tried your suggestion but it did not help , but finally I found a solution !!

I noticed another log message on the ASA ,

|Oct 20 2014|09:06:04|302014|172.16.10.9|59438|10.10.52.20|3389|Teardown TCP connection 2284151 for outside:172.16.10.9/59438(LOCAL\100515) to inside:10.10.52.20/3389 duration 0:00:45 bytes 613815 Flow closed by inspection (100515)

So RDP session was not hanging for 5-10 seconds , the flow was closed and re-established on the ASA , but because the RDP is configured to timeout after 20 seconds , the end user will not lose the RDP session , and it looks like it hang for 10 second.

Now , what inspection can cause RDP session flow to be closed !! I have only the default inspection on the ASA ? I did some research , and found that the ASA handle RDP the same way it handle ICMP , how much true is that , I’m not sure .another finding is that ,ASA has a default TCP inspection policy that may cause this kind of behavior , anyway , I have inspect icmp under the class inspection_default , so I remove it , after that the RDP becomes stable ..

Peter Long · ‎10-23-2014

Not seen that before? you can alter timeout for RDP traffic let me have a think...........

access-list ACL-RDP-INSPECT permit tcp any host 10.10.52.20 eq 3389
!
class-map CM-RDP-INSPECT
match access-list ACL-RDP-INSPECT
!
policy-map PM-RDP-TIMEOUT
class CM-RDP-INSPECT
set connection timeout tcp 0:09:00 reset
!
service-policy PM-RDP-TIMEOUT interface outside

That sets it to 9 minutes (change accordingly)

Pete

I got that from my post here

Peter Long · ‎10-23-2014

See http://technet.microsoft.com/en-us/library/cc960465.aspx

Why that fixed it for me before - I don't know, if memory serves Microsoft Third line support did it to fix the problem

PL

Remote Desktop hang when connect from VPN