• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3005
  • Last Modified:

VPN connected but unable to RDP to server

I am having a problem with one of my remote clients connecting to a server through a VPN using the Microsoft RDP. My client can ping the server, Map a drive to a different server but cannot connect through the RDP. The network my client is on is a 10.10.XX.XX network and our network is a 192.168.0.XX network. When the VPN connect it registers the computer on to a 192.168.200.XX ip. What could be causing this problem? I have various clients throughout the US that connect to our network the same way and have no problems but this client is different. Would the 10.10.XX.XX network be causing this problem? I talked to the IT department of the company my client is connecting through and they say we are wide open and there is nothing blocking the packets however we are still unable to connect via RDP.
0
Tim
Asked:
Tim
  • 9
  • 7
1 Solution
 
Rob WilliamsCommented:
What happens when it fails? Do you can an error message, if so could you quote exactly, or do you get a partially drawn screen, black or gray screen or nothing at all?
Also please advise if using Vista to connect.
0
 
TimSr. System AdminAuthor Commented:
My user says that it comes up with a message saying there are 3 possible reasons for the RDP not connecting. Unfortunately, this system is far away so I cannot be in front of the machine but can try to relay as much info as possible. We are not using Vista, yet, so that is not an issue but we are using XP Professional.  
0
 
Rob WilliamsCommented:
Would be useful to know the "3 possible reasons" if you could find out at some point. At least that rules out the partially drawn, black, or gray screen issues.

Most often then, it either cannot reach the terminal server or the user is not authorized.
-You mention they can map a drive to a different server, is the other server on the same subnet? If so this should rule out any routing issues.
-can other users connect to this terminal server, which would verify it is configured correctly and connections are not blocked by a firewall
-can the problematic user connect to the that server from other locations, verifying their account is approved.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
TimSr. System AdminAuthor Commented:
I know it would be useful, I wish I knew what the messages are. When I was talking to the user he was in the middle of doing some work at the site and was not very clear on what the error messages said and when I called him back he had already left the site. The server he could map a drive to is on the same subnet as the terminal server. The terminal server is connected to by everyone in the company as well as all the remote users except for him that is why it is so troubling. I want to think it is the subnet of the company we have the workstation at but I cannot find a reason to suspect it since it is not the same subnet as our network.
0
 
Rob WilliamsCommented:
The subnet can really only cause 3 problems.
- if the local and remote subnets are the same, the VPN will connect, but you will not be able to ping or access anything at the remote end. Mapping a drive should have ruled out that
- the Windows firewall when remote desktop/terminal services is enabled, automatically creates a firewall exception. However, the default may be to only allow connections from the local network. You often have to manually edit the exception to either add remote subnets or choose (common) "allow connections from all computers, even those on the Internet"
- if multiple subnets are involved between the client and server you may have to add a static route. This should again be ruled out by the fact that you can map a drive to something on the remote network, unless there was a route added, and it was for one device and not a subnet.
0
 
TimSr. System AdminAuthor Commented:
Just an update to this question. I had a chance to go out to the site in question and it looks like it is a Government site which has their network locked down. When talking to their IT department they were unsure of how the MS VPN works and what ports it uses. I did some testing and they have opened port 80 but that is it and it seems that the VPN will go out through the internet port but that is about it. Traffic does not come back in nor will it let it go out except to create the VPN. I know the MS VPN uses port 1723 but it looks like their filter filters all the traffic going out so my RDP which uses 3389 is blocked. I thought when you have a VPN created the traffic is confined to that tunnel no filtering can be done on that connection but it looks like that is not the case or is it? Their IT guy mentioned the Cisco VPN clinet and I was wondering if that would be a better VPN than the MS VPN and will it encapsulate our traffic so that it isn't blocked by their filter.

0
 
Rob WilliamsCommented:
If you can establish a VPN, all traffic will flow through the tunnel by default. It is possible with most VPN's to then create inbound and outbound filters to block traffic within the tunnel, but it is very uncommon, and must be done manually. Same applies to IPSec tunnels such as Cisco.

However, if they have blocked all outgoing traffic other than port 80, it is unlikely you can establish a VPN. It is common to block incoming traffic, but not outgoing. If this is a military base they have likely done both.
0
 
TimSr. System AdminAuthor Commented:
After speaking to them I found out they are using a SonicWall 3060. They suggested I use the IPSec tunnel to create the VPN but will that solve the problem. What configurations on the SonicWall 3060 would allow internet access but no incoming traffic?
0
 
Rob WilliamsCommented:
I can't imagine anything they have configured on the Sonicwall would allow a VPN connection, but block RDP within the tunnel. I think the problem is more the connecting PC itself, or the server configuration.
Back to the subnet issue.  Is the windows firewall enabled on the machine to which you are trying to connect by RDP? If so I would check its firewall exceptions. By default they allow the local subnet, but not others such as the 10.x.x.x Go to control panel | Windows firewall | Exceptions | highlight remote desktop and choose Edit | highlight TCP 3389 and choose change scope options | check the box next to "allow any computer (including those on the Internet)" if not enabled.
0
 
TimSr. System AdminAuthor Commented:
The terminal server is a Windows 2000 Server which does not have a firewall. Could my router be causing this problem? I have a Cisco 1721 and that is the device the VPN connects to. This issue is bothering me since I have multiple people connecting via VPN and RDPing to our terminal server so I don't think it is the server that is blocking the traffic but maybe the router doesn't like the 10.x.x.x subnet and won't let it through. Everyting about this network connection is causing me problems. When I try to have Outlook connect to our Exchange server through the VPN it starts to talk to our Exchange server but then loses connection. When the VPN is up and a drive it mapped I can see the folders and their contents but cannot copy anything to the mapped folder and cannot paste anything to that folder. Right now we are using LogMeIn to connect to local computers on our network and that seems to work however the speed has something to be desired. I really don't want my agents to work that way but it is my only choice. Is there any other solution that I can deploy that works like LogMeIn?

Thanks
0
 
Rob WilliamsCommented:
LogMeIn is about the best of that type of application. Remote Desktop performs better in my opinion.

It is possible the Cisco has issues with the 10.0.0.0  network, as it certainly has ACL's. I am not a "Cisco guy" so I cannot help you to configure that, if in fact it is necessary.
The fact that you have Exchange issues, and you have problems copying files, may indicate a problem with the MTU being set to high. I would try lowering it at least on the VPN client. I assume you are using the Cisco VPN client remotely? If so on the client machine, under all programs / Cisco there should be a utility to set the MTU. Try 1400. If no luck see if 1260 makes any improvement. If so you can gradually increase.
0
 
TimSr. System AdminAuthor Commented:
Sorry I haven't updated this case in a while but there has been no new news except that I found out that they are limiting the MTU going out and coming into their network to 1150 and will not increase for us. I looked at manually lowering the MTUs on the servers that are affected by the MTU but found that it slowed my overall network down so I went back to default on my network and chose to use Logmein instead, although it isn't a very efficient way of conducting business. I also tied lowering the MTU on the client machine and it seemed to work but traffic coming back into the network never came back through so I am to assume it is because my network is sending at 1500 and their network only accepts 1150.
0
 
Rob WilliamsCommented:
>>"I also tied lowering the MTU on the client machine and it seemed to work but traffic coming back into the network never came back through so I am to assume it is because my network is sending at 1500 and their network only accepts 1150. "
It is on the client you would want to lower MTU. I don't follow though, you say; "it seemed to work", but also "traffic....never came back"?
0
 
TimSr. System AdminAuthor Commented:
When I lowered the MTU on the client I was able to copy files from the cliet machine to the server and I was able to copy files from the mapped drive to the client machine but when I tried to run the terminal client it still would not connect. I connected to a server which had the MTU lowered on that machine and the terminal client connected but when I tried to connect to our primary server I couldn't connect. I was working with a thrid party network admin when I was doing the testing and the server I connected to was a server that is in our organization but is ran buy his company and they lower their MTU on all their machine just for this reason. Our terminal server cant have the MTU lowered since we have up to 50 people connecting to it simultaneously and can affort to have their connection speeds lowered.
0
 
Rob WilliamsCommented:
OK that make sense, thanks for elaborating.
MTU doesn't have to be changed on most connections, it just depends on the performance of your ISP network. I am afraid it looks like the solution is to change the MTU, but I can also understand why you don't want to. The only other option I can see is to try different Internet providers.
0
 
Rob WilliamsCommented:
Thanks tparus.
Cheers !
--Rob
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now