juggernaughty
asked on
RDP disconnects over Cisco VPN Tunnel
Experts,
I have a Windows 2003 Terminal server that is disconnecting user sessions intermittently throughout the day. But only the users that are connecting in through VPN tunnels. Local users stay connected all day without issue.
There is a new ASA 5510 on the site where the server is located. The remote sites are using PIX 501's I believe. I have tried everything I can think of in the Windows world with enabling keepalives and all, but to no avail.
I can't post the config of the ASA, but can somone please point in me at some things to look at on the ASA/IPSEC tunnel?
I have a Windows 2003 Terminal server that is disconnecting user sessions intermittently throughout the day. But only the users that are connecting in through VPN tunnels. Local users stay connected all day without issue.
There is a new ASA 5510 on the site where the server is located. The remote sites are using PIX 501's I believe. I have tried everything I can think of in the Windows world with enabling keepalives and all, but to no avail.
I can't post the config of the ASA, but can somone please point in me at some things to look at on the ASA/IPSEC tunnel?
Jan Bacher
What timeout do you have set for the VPN connection? Does it jive with the length of the session before it disconnects?
ASKER
I'll have to ask the network admin for the running config to answer that, won't I? I'll see what I can do. Its a site to site tunnel...would a timeout be configured on this normally?
I set session limits on my VPNs. Depending upon the connection, it might be as low as 4 hours. How long does your session go before it times out?
What type of internet connection do you have, and what do the remote sites have. If they are using a DSL flavor, that side may need to change the MTU setting on the PIX.
ASKER
The remote sites are using an ATT T-1 20MB pipe im being told.
A T1 is not 20M. Can you clarify?
ASKER
Sorry I typed that with haste. The main site where the TS is has a 20M pipe and the remote sites have a T1 connection.
I did find this link: http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/7bb5f08929fdb88b
Which is very similar to my issue. The network admin added the command "timeout conn 0:0:0". So far so good. One of my colleagues told me to look for a command that is something like "flow control idle timer". Do you know of anything along those lines that might help in this instance?
I did find this link: http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/7bb5f08929fdb88b
Which is very similar to my issue. The network admin added the command "timeout conn 0:0:0". So far so good. One of my colleagues told me to look for a command that is something like "flow control idle timer". Do you know of anything along those lines that might help in this instance?
That is exactly (timeout conn) to what I was referring. I would truly recommend setting it to something reasonable, though.
I haven't ever needed to specify any flow control is a Cisco firewall product. I would recommend first waiting to see if the timeout takes care of the problem (one "fix" at a time).
I haven't ever needed to specify any flow control is a Cisco firewall product. I would recommend first waiting to see if the timeout takes care of the problem (one "fix" at a time).
ASKER
OK, I'll give it till the end of the day tomorrow. The Net admin claims it was set at 8 hours previously. Some of the users were seeing a disconnect while they are using the Terminal Server. I would think that, that timeout option would only be for idle connections, correct?
Unless the users are reporting that they were using when in fact they probably had the RDP connection minimized on their desktop :)
For one of the users I have a GPO set on her computer account to enable keepalives. This should keep the timeout conn setting at bay if packets are being sent, correct?
Unless the users are reporting that they were using when in fact they probably had the RDP connection minimized on their desktop :)
For one of the users I have a GPO set on her computer account to enable keepalives. This should keep the timeout conn setting at bay if packets are being sent, correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I don't have direct access to the network hardware. Only the network admin does. So anything you ask I'll have to relay. Of course network team doesn't think it could ever be their device that is causing the issue.
So when you say "the VPN client" are you referring to the ASA? I don't know much about VPNs but I think its a site to site ipsec tunnel between the PIX and the ASA. Just want to make sure you're not referring to a VPN application running on a user's PC.
So when you say "the VPN client" are you referring to the ASA? I don't know much about VPNs but I think its a site to site ipsec tunnel between the PIX and the ASA. Just want to make sure you're not referring to a VPN application running on a user's PC.
By "VPN client" I refer to the remot e location that is establishing the VPN to the firewall to connect to the server.
ASKER
Well, the disconnects haven't been as bad since we changed the timeout connection. However they're occurring for at least one user so far today. I am going to enable a GPO on her user account to enable keepalives.
Do you think that we should look into the flow control idle timer setting? I have a colleague who changed this from 16 (default?) to 254 and said it fixed a very similar problem.
I am awaiting the network admin's response as to if a hard timeout settings is in the VPN client.
Do you think that we should look into the flow control idle timer setting? I have a colleague who changed this from 16 (default?) to 254 and said it fixed a very similar problem.
I am awaiting the network admin's response as to if a hard timeout settings is in the VPN client.