Solved

RDP disconnects over Cisco VPN Tunnel

Posted on 2008-06-25
13
2,006 Views
Last Modified: 2013-11-16
Experts,

I have a Windows 2003 Terminal server that is disconnecting user sessions intermittently throughout the day. But only the users that are connecting in through VPN tunnels. Local users stay connected all day without issue.

There is a new ASA 5510 on the site where the server is located. The remote sites are using PIX 501's I believe. I have tried everything I can think of in the Windows world with enabling keepalives and all, but to no avail.

I can't post the config of the ASA, but can somone please point in me at some things to look at on the ASA/IPSEC tunnel?
0
Comment
Question by:juggernaughty
  • 6
  • 6
13 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21870203
What timeout do you have set for the VPN connection?  Does it jive with the length of the session before it disconnects?
0
 
LVL 1

Author Comment

by:juggernaughty
ID: 21870236
I'll have to ask the network admin for the running config to answer that, won't I? I'll see what I can do. Its a site to site tunnel...would a timeout be configured on this normally?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21874719
I set session limits on my VPNs.  Depending upon the connection, it might be as low as 4 hours.  How long does your session go before it times out?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 10

Expert Comment

by:Sorenson
ID: 21874969
What type of internet connection do you have, and what do the remote sites have.  If they are using a DSL flavor, that side may need to change the MTU setting on the PIX.  
0
 
LVL 1

Author Comment

by:juggernaughty
ID: 21875398
The remote sites are using an ATT T-1 20MB pipe im being told.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21875548
A T1 is not 20M.   Can you clarify?
0
 
LVL 1

Author Comment

by:juggernaughty
ID: 21876493
Sorry I typed that with haste. The main site where the TS is has a 20M pipe and the remote sites have a T1 connection.

I did find this link: http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/7bb5f08929fdb88b

 Which is very similar to my issue. The network admin added the command "timeout conn 0:0:0".  So far so good. One of my colleagues told me to look for a command that is something like "flow control idle timer". Do you know of anything along those lines that might help in this instance?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21877377
That is exactly (timeout conn) to what I was referring.  I would truly recommend setting it to something reasonable, though.

I haven't ever needed to specify any flow control is a Cisco firewall product.  I would recommend first waiting to see if the timeout takes care of the problem (one "fix" at a time).
0
 
LVL 1

Author Comment

by:juggernaughty
ID: 21878164
OK, I'll give it till the end of the day tomorrow. The Net admin claims it was set at 8 hours previously. Some of the users were seeing a disconnect while they are using the Terminal Server. I would think that, that timeout option would only be for idle connections, correct?

Unless the users are reporting that they were using when in fact they probably had the RDP connection minimized on their desktop :)

For one of the users I have a GPO set on her computer account to enable keepalives. This should keep the timeout conn setting at bay if packets are being sent, correct?
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 21878361
I would think that this would hold the connection open.

The timeout parameters should apply toward the nat translation and not the vpn.  Have you checked the default settings in the VPN client to see if there is a hard timeout configured?
0
 
LVL 1

Author Comment

by:juggernaughty
ID: 21880678
Well, I don't have direct access to the network hardware. Only the network admin does. So anything you ask I'll have to relay. Of course network team doesn't think it could ever be their device that is causing the issue.

So when you say "the VPN client" are you referring to the ASA? I don't know much about VPNs but I think its a site to site ipsec tunnel between the PIX and the ASA. Just want to make sure you're not referring to a VPN application running on a user's PC.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21883533
By "VPN client" I refer to the remot e location that is establishing the VPN to the firewall to connect to the server.
0
 
LVL 1

Author Comment

by:juggernaughty
ID: 21900014
Well, the disconnects haven't been as bad since we changed the timeout connection. However they're occurring for at least one user so far today. I am going to enable a GPO on her user account to enable keepalives.

Do you think that we should look into the flow control idle timer setting? I have a colleague who changed this from 16 (default?) to 254 and said it fixed a very similar problem.

I am awaiting the network admin's response as to if a hard timeout settings is in the VPN client.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now