RDP disconnects over Cisco VPN Tunnel

Experts,

I have a Windows 2003 Terminal server that is disconnecting user sessions intermittently throughout the day. But only the users that are connecting in through VPN tunnels. Local users stay connected all day without issue.

There is a new ASA 5510 on the site where the server is located. The remote sites are using PIX 501's I believe. I have tried everything I can think of in the Windows world with enabling keepalives and all, but to no avail.

I can't post the config of the ASA, but can somone please point in me at some things to look at on the ASA/IPSEC tunnel?
LVL 1
juggernaughtyAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Jan SpringerConnect With a Mentor Commented:
I would think that this would hold the connection open.

The timeout parameters should apply toward the nat translation and not the vpn.  Have you checked the default settings in the VPN client to see if there is a hard timeout configured?
0
 
Jan SpringerCommented:
What timeout do you have set for the VPN connection?  Does it jive with the length of the session before it disconnects?
0
 
juggernaughtyAuthor Commented:
I'll have to ask the network admin for the running config to answer that, won't I? I'll see what I can do. Its a site to site tunnel...would a timeout be configured on this normally?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Jan SpringerCommented:
I set session limits on my VPNs.  Depending upon the connection, it might be as low as 4 hours.  How long does your session go before it times out?
0
 
SorensonCommented:
What type of internet connection do you have, and what do the remote sites have.  If they are using a DSL flavor, that side may need to change the MTU setting on the PIX.  
0
 
juggernaughtyAuthor Commented:
The remote sites are using an ATT T-1 20MB pipe im being told.
0
 
Jan SpringerCommented:
A T1 is not 20M.   Can you clarify?
0
 
juggernaughtyAuthor Commented:
Sorry I typed that with haste. The main site where the TS is has a 20M pipe and the remote sites have a T1 connection.

I did find this link: http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/7bb5f08929fdb88b

 Which is very similar to my issue. The network admin added the command "timeout conn 0:0:0".  So far so good. One of my colleagues told me to look for a command that is something like "flow control idle timer". Do you know of anything along those lines that might help in this instance?
0
 
Jan SpringerCommented:
That is exactly (timeout conn) to what I was referring.  I would truly recommend setting it to something reasonable, though.

I haven't ever needed to specify any flow control is a Cisco firewall product.  I would recommend first waiting to see if the timeout takes care of the problem (one "fix" at a time).
0
 
juggernaughtyAuthor Commented:
OK, I'll give it till the end of the day tomorrow. The Net admin claims it was set at 8 hours previously. Some of the users were seeing a disconnect while they are using the Terminal Server. I would think that, that timeout option would only be for idle connections, correct?

Unless the users are reporting that they were using when in fact they probably had the RDP connection minimized on their desktop :)

For one of the users I have a GPO set on her computer account to enable keepalives. This should keep the timeout conn setting at bay if packets are being sent, correct?
0
 
juggernaughtyAuthor Commented:
Well, I don't have direct access to the network hardware. Only the network admin does. So anything you ask I'll have to relay. Of course network team doesn't think it could ever be their device that is causing the issue.

So when you say "the VPN client" are you referring to the ASA? I don't know much about VPNs but I think its a site to site ipsec tunnel between the PIX and the ASA. Just want to make sure you're not referring to a VPN application running on a user's PC.
0
 
Jan SpringerCommented:
By "VPN client" I refer to the remot e location that is establishing the VPN to the firewall to connect to the server.
0
 
juggernaughtyAuthor Commented:
Well, the disconnects haven't been as bad since we changed the timeout connection. However they're occurring for at least one user so far today. I am going to enable a GPO on her user account to enable keepalives.

Do you think that we should look into the flow control idle timer setting? I have a colleague who changed this from 16 (default?) to 254 and said it fixed a very similar problem.

I am awaiting the network admin's response as to if a hard timeout settings is in the VPN client.
0
All Courses

From novice to tech pro — start learning today.