Solved

VPN AVENTAIL 3 way handshake not connecting

Posted on 2009-05-18
4
890 Views
Last Modified: 2012-05-07
Hi,
   We are setting up remote access via aventail remote software for a user. The setup is we are the branch office so basically the user
remotes into the vpn serverin headquarters then from there she rdp her pc in the branch site. I will give you the troubleshooting steps
we are able to telnet from a laptop on wireless authenicated to the vpn to the users work pc over tcp 3389
we  can see a hit count on the access list in our branch firewall allowing connection
we ran wireshark on the work pc we can see the tcp connection coming in trying to form
a connection three way handshake there is an syn recieved from the vpn server. THen the client pc replies with a syn-ack but
we never recieve a ack back from the vpn server. So the connection is never formed.
The work pc has a route to the vpn server i am able to telnet + ping to the vpn server. RDP is enabled on the work pc and it is listening on tcp 3389 for the connection I am able to rdp internally from my pc to the work pc.

Here is the connection state on the pix

TCP out VPNSERVER:60539 in 10.xx.xx.xx:3389 idle 0:00:06 bytes 0 flags aB

first question I am not sure what the aB flag indicates???

The only thing i can think off is the protocol rdp requires a fixup i.e it is responding on random port but this will fine in our branch firewall as all traffic is allowed out so it must be the headquarters firewall.

Second question Is anyone aware does the rdp protocol require a fixup on firewalls??

Last question : can anyone think or recommend anything else??  


Thks,

EOghan
0
Comment
Question by:BarepAssets
  • 3
4 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 24432678


1) AB connection state on the pix:
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
       E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS

2) RDP does not require a fixup

3) if you are using aventail sw to ssl vpn into a vpn server, and that works, your are granted inside access
    from the perspective of the vpn server. What inside network is the remote user granted access to?
    Is that network allowed to communicate with the desktop you need remote desktop to?

harbor235 ;}

0
 

Author Comment

by:BarepAssets
ID: 24490682
We have fixed issue but strangely it was just from changing the ip address the ip we changed it too is on the same subnet we have on both sides allow to the subnet paricular ip so it seems a very stange issue why it would not allow  it
0
 

Author Comment

by:BarepAssets
ID: 24490692
that is allow the subnet not the particular ip
0
 

Author Closing Comment

by:BarepAssets
ID: 31582887
did not fix the issue but answered alot of questions asked
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now