Broken Remote Desktop Sessions over VPN PLEASE HELP!

Have the firewalls become enabled on the XP machines either by an update, or installing SP1 on a Server 2003 domain controller?

No, Windows XP filrewalls are all disabled.

They are all Windows XP Pro boxes with SP2, and we are not using any 2003 domain controller.

Thanks for your reply.

Not sure if you put this in the description above but when on the local network can you remote desktop the computers with out issues?  The other question is how stable is the internet connection.  With RDP you can loose packet during a session and make connections.  Maybe there are enough packet being dropped that Remote Desktop is failing because of WAN or LAN issues.

RDP works internally with out issue. (From desktop to desktop)

it only recently stoped working over VPN.  If the connection was that unstable I would expect that the VPN tunnel would crash but it doesnt.  I have no problems making VPN connection, and the users in that office do not complain about connectivity issues.  The say their internet is stable and ours is stable on this end as well.

do you have a way to check your firewall logs to see if there are issues with the vpn from a firewall perspective.  Also is the vpn native to windows or client based?

I have a few questions?  

Did any of the rules on the firewall change to deny traffic across the vpn on your firewall.
Did the firewall get upgrade about the sametime as the issue started to happen.
When you do a ipconfig /all do you see all you setting correctly.  ie.. gateway, ip address, wins, dns

Also one thing you can try is telneting to the ip address of one of the clients and port 3389.  If telnet is established with out errors then the port is listening and the problem might be client side. If that port is denied some how in the firewall rules or a connection can not be made then it is the firewall.

Just a shot in the dark....try entering the numerical ip address instead of the hostname when you rdesktop. You may have a DNS issue.

Also do a portscan to see what ports you have open.

Ok here is what I have been able to establish thus far.

1) The problem seems to be when large amounts of data flow over the VPN tunnel.  For example.  I can SSH into a Linux box on the otherside, and run commands and do whatever I like with out issue.  However if I try to SCP a file over the tunnel the connection dies "Connection Reset By Peer", which is consistant with Windows Remote Desktop failing with the Broken Connection Error.  The clients seem to die when there is too much traffic.  SSH works well becase of its LOW traffice usage, im sure telenet would yield the same results.

2) I have adjusted the MTU on the otherside which uses PPPoE to 1400, when I did this I am now able to establish a Remote Desktop Connection.  I am able to login, but thats it.  At that point the connection dies.

3) Here is what the firewall seems to be blocking.
 15:59:14.744536 PPTP 192.168.0.225, port 2208 70.242.187.73, port 2878 UDP
  15:59:15.686326 PPTP 192.168.0.225, port 2208 70.198.84.48, port 3524 UDP
  15:59:16.776589 PPTP 192.168.0.225, port 2208 70.153.53.78, port 1875 UDP
  15:59:17.780396 PPTP 192.168.0.225, port 2208 70.204.158.209, port 1789 UDP
  15:59:18.704599 PPTP 192.168.0.225, port 2208 70.167.99.190, port 1488 UDP
  15:59:19.696570 PPTP 192.168.0.225, port 2208 70.132.235.144, port 3567 UDP
  15:59:20.728692 PPTP 192.168.0.225, port 2208 70.227.140.124, port 1501 UDP
  15:59:21.713641 PPTP 192.168.0.225, port 2208 24.170.188.138, port 2433 UDP

4) I do not see any rules saying to deny traffic across the vpn.  Here is the VPN rule
Allow from any IP comming in on Any port to access Any destination IP on Any port, in other words completely open.

5) Yes all looks good with ipconfig /all

Thanks for your replies.

Also I am using IP addresses and not host names.

Thanks again.

based on what you comment is saying... I think you have a traffic issue.  On the firewall is there a way to monitor how much bandwith is really being used.  If you can monitor for a day or so and see if you are at the limit when the connections start dropping.  By changing the MTU it give you a little more but not enough to make a difference.  From the sound of it you might need to purchase more bandwith.  

Yes there is a way to monitor the bandwith, and when the connections are dropping bandwith has been low and high and makes no difference.

Most likely you are seeing the spike because of the dropped packets.  The connection can only handle so much traffic before stuff starts failing and slowing down.  If RDP was not able to handle dropped packet better you would just experience slowness in the terminal session rather than dropping the session it's self.  Also it sounds like you are on the line of being ok and not having enough bandwith.

In resolving your issues the next step I would take is talking to you isp about getting more bandwith.  What kind of connection do you currently have.  You can go to dslreports.com to do a speed test and find your upload and download speed.

I can tell you that bandwidth is not an issue.  We have had many many more connections going on as well as multiple VPN tunnels running at the same time, many times before with the same hardware and internet connection that we have now.

Talking to the ISP about more bandwith will not help us.  We have broadband right now, same as we have been using all along.  I have even tested removing everyitng from the internet connection except the m0n0wall VPN box, and the 1 client computer I have been trying to connect to with no avail.

since it happens with only 1 connection can you perform a pathping and a tracert and post them.  also can you post who is your provider and the type of internet connection.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

>pathping 192.168.0.1

Tracing route to 192.168.0.1 over a maximum of 30 hops

  0  pcdarryl [192.168.0.224]
  1     *        *        *
Computing statistics for 25 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           pcdarryl [192.168.0.224]
                              100/ 100 =100%   |
  1  ---     100/ 100 =100%     0/ 100 =  0%  pcdarryl [0.0.0.0]

Trace complete.



tracert 192.168.0.1

Tracing route to 192.168.0.1 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

One other odd thing, I can not ping any of the computers from this end of the VPN, but if I SSH in over the VPN and am working on a box in the other office, I am able to ping any computers in that office without issue.  This is obvious becase I am on that side of the VPN.  But I should be able to ping and tracert from this side as well. However all pings from this end seem to be blocked.  

Also the Provider we have been using all along without issue is Bell Sympatico DSL.

have you tried adjusting the remote desktop client to act like it is running with a 28k connection.  Basically what that would do is not show the desktop wallpaper, diasble sounds, and themes

To do that open the Remote Desktop Client
Click on options (if it does not open by default)
Click on Experience
uncheck all boxes.

Give that a try.

Ok have tried that with the same results.  I didnt hold my hopes high for that since I never had to do this before and RDP has always worked in the past.

Thanks again for the suggestions.

yea, I am running out of ideas....  I am almost getting ready to download and install the software in a virtual machines to see if I can recreate the issue....  The only thing we have really not explored is the interworkings of your firewall.  I did go through some of the documentation but I really could not find anything that just stuck out.

If there is any other information you can offer up or post please do so.  

I am actually glad to hear I am not the only one running out of ideas.  I was troubleshooting this issue like crazy before I even posted it here.  I dont know what other information to offer, its strange, one minute it works, the next minute it does not.

Hrm.... What else can be the problem?

Thanks again for all your help, I really hope we can find a solution.

Are any of the connections on a wireless network?

I was looking at the website for your firewall.  Have you tried to install and configure monomon and mynetwatchman.  Both look like they are free and might help looking into the firewall itself.  Let me know?

Ok, here is an update.

The problem is DEFINATLY on my end.  I was at the other office today and was able to VPN into my office connection here.

However I am still unable to VPN into the other offices connection.  So whatever the issue is its on my end.

Does this give you any new ideas?

ok, so office A can talk to office B with out issues

Office B has issues talking to office A

Office A and B are connectewd by DSL with a PPTP VPN connection between them.

Is that correct.  If not can you explain so I can draw what your network looks like.

I was just looking at your TraceRT results. If I am reading it correctly, the local and remote networks are both on the 192.168.0.x subnet. Is this correct? If so you will have to change one or the other. Either end of a VPN need to be on different subnets to work. Perhaps I am missing something above.

jyabroff, you were correct about everyting except about the Internet Connectoins.  Office A is using DSL and PPTP VPN Connections.  Office B Uses High Speed Cable for its connection and PPTP VPN.

RobWill, Office A is on 192.168.0.1, and office B is on 192.168.1.1.

Hope this helps.  Really looking forward to solving this issue.
Thanks again!

Sorry mydware , looked like you were pinging remote network 192.168.0.1 and first response was from local network 192.168.0.224

From looking at the firewall software you are using hardware resources should not be a issue.  If you can please post the hardware config for both firewalls.  I did get one going in vmware session with little effort.  However I did not have time today to create a network with it and connect to the web client.

In my earlier posting I mentioned using some of the firewall monitors for the firewall you are using.  I would be interested in seeing what the stats are like on both firewalls to see if there is anything that stands out from either a config or performance issue.  I still think you have a connection issue but it is finding the source of the problem that proves to be a challenge.

Ok I have done alot of testing over the weekend.

Hardware we can pretty much rule out.  m0n0wall will run on pretty much anything.

Ok here is what we know thus far.  Office A can VPN into Office B (my office) but not the other way around.
My RDP works find over IP not using the VPN.  I was able to RDP into my home computer from my office here (Office B), and the RDP session worked.

So that means the problem is with the VPN somewhere.  Im not sure if should suspect the VPN on my side, or the other offices's side, or both.

What are your thoughts?

Did you have time to try to setup the monitors.  I am in acgreement the issues somewhere between firewalls.  I was hoping to see if there are any results that might help pin point the issue.  With out touching the firewall and looking at monitors and setting it is hard to choose a troubleshooting direction.  

It is possible the vpn connection is not as stable and there maybe more traffic than you think.

When you say setup the monitors what exactly are you refering to?

About the stability of the VPN connection... I have no clue I would think it would be stable the VPN tunnel never crashes, about more traffic.... Im not sure more traffic where?

Thanks.

You know what else is strange?  Only my desktop computer is able to make the VPN connection.  If I try to make the VPN connection from another computer on my network it will not make the connection.

However.... If I change the IP address of another computer on my network, to the IP address of my Desktop computer it is able to make the VPN connection.

Not sure if this helps at all, but may point you in the right direction.

Thanks.

From that description it sounds like there might be a rule in the firewall or a bad route....something network related.  Do the firewall rules look about the same on both side? Can you compare the settings to see if anything might stand out.

The monitoring tool mynetwatchman looks like it will tell you when rules are accepted and denyed. Give it a try.

this tool does not support m0n0wall.  They only thing to do would be paste each entry..... ekkkkkkk

ok, what about http://wallwatcher.com it looks like a anazyler/collector and support your firewall according to the website.

Ok WAHOOOOO.....

The problem was not the firewall and also was not the internet connection connection.

As it turns out my TCP/IP stack got screwed up.  Don’t ask me how, as I have NO CLUE!  It just started happening.   Probably after one of the Windows Updates.  I found this article on Microsoft’s Website http://support.microsoft.com/default.aspx?scid=kb;en-us;299357 figured it’s worth a try.

I cleared the stack, and uninstalled TheGreenBow VPN software from my system, because I have been told they install packet filters.  After that I rebooted my system and VOLA it worked!

I can’t believe how utterly hard it was to diagnose this problem.  It looked like bad connection, bad firewall settings bad everything.  I even tried a new network card and network cable.  EK….. I still have a headache just thinking about it!

Thank-you all again for helping me with this.

jyabroff, when you reply to this message I am going to accept your comment as the solution, since you helped me with this, and did the most amount of work.  Even though we didn’t come to a solution with you, your help was greatly appreciated.