Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 925
  • Last Modified:

VPN AVENTAIL 3 way handshake not connecting

Hi,
   We are setting up remote access via aventail remote software for a user. The setup is we are the branch office so basically the user
remotes into the vpn serverin headquarters then from there she rdp her pc in the branch site. I will give you the troubleshooting steps
we are able to telnet from a laptop on wireless authenicated to the vpn to the users work pc over tcp 3389
we  can see a hit count on the access list in our branch firewall allowing connection
we ran wireshark on the work pc we can see the tcp connection coming in trying to form
a connection three way handshake there is an syn recieved from the vpn server. THen the client pc replies with a syn-ack but
we never recieve a ack back from the vpn server. So the connection is never formed.
The work pc has a route to the vpn server i am able to telnet + ping to the vpn server. RDP is enabled on the work pc and it is listening on tcp 3389 for the connection I am able to rdp internally from my pc to the work pc.

Here is the connection state on the pix

TCP out VPNSERVER:60539 in 10.xx.xx.xx:3389 idle 0:00:06 bytes 0 flags aB

first question I am not sure what the aB flag indicates???

The only thing i can think off is the protocol rdp requires a fixup i.e it is responding on random port but this will fine in our branch firewall as all traffic is allowed out so it must be the headquarters firewall.

Second question Is anyone aware does the rdp protocol require a fixup on firewalls??

Last question : can anyone think or recommend anything else??  


Thks,

EOghan
0
BarepAssets
Asked:
BarepAssets
  • 3
1 Solution
 
harbor235Commented:


1) AB connection state on the pix:
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
       E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS

2) RDP does not require a fixup

3) if you are using aventail sw to ssl vpn into a vpn server, and that works, your are granted inside access
    from the perspective of the vpn server. What inside network is the remote user granted access to?
    Is that network allowed to communicate with the desktop you need remote desktop to?

harbor235 ;}

0
 
BarepAssetsSys AdminAuthor Commented:
We have fixed issue but strangely it was just from changing the ip address the ip we changed it too is on the same subnet we have on both sides allow to the subnet paricular ip so it seems a very stange issue why it would not allow  it
0
 
BarepAssetsSys AdminAuthor Commented:
that is allow the subnet not the particular ip
0
 
BarepAssetsSys AdminAuthor Commented:
did not fix the issue but answered alot of questions asked
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now