?
Solved

VPN AVENTAIL 3 way handshake not connecting

Posted on 2009-05-18
4
Medium Priority
?
911 Views
Last Modified: 2012-05-07
Hi,
   We are setting up remote access via aventail remote software for a user. The setup is we are the branch office so basically the user
remotes into the vpn serverin headquarters then from there she rdp her pc in the branch site. I will give you the troubleshooting steps
we are able to telnet from a laptop on wireless authenicated to the vpn to the users work pc over tcp 3389
we  can see a hit count on the access list in our branch firewall allowing connection
we ran wireshark on the work pc we can see the tcp connection coming in trying to form
a connection three way handshake there is an syn recieved from the vpn server. THen the client pc replies with a syn-ack but
we never recieve a ack back from the vpn server. So the connection is never formed.
The work pc has a route to the vpn server i am able to telnet + ping to the vpn server. RDP is enabled on the work pc and it is listening on tcp 3389 for the connection I am able to rdp internally from my pc to the work pc.

Here is the connection state on the pix

TCP out VPNSERVER:60539 in 10.xx.xx.xx:3389 idle 0:00:06 bytes 0 flags aB

first question I am not sure what the aB flag indicates???

The only thing i can think off is the protocol rdp requires a fixup i.e it is responding on random port but this will fine in our branch firewall as all traffic is allowed out so it must be the headquarters firewall.

Second question Is anyone aware does the rdp protocol require a fixup on firewalls??

Last question : can anyone think or recommend anything else??  


Thks,

EOghan
0
Comment
Question by:BarepAssets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 1500 total points
ID: 24432678


1) AB connection state on the pix:
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
       E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS

2) RDP does not require a fixup

3) if you are using aventail sw to ssl vpn into a vpn server, and that works, your are granted inside access
    from the perspective of the vpn server. What inside network is the remote user granted access to?
    Is that network allowed to communicate with the desktop you need remote desktop to?

harbor235 ;}

0
 

Author Comment

by:BarepAssets
ID: 24490682
We have fixed issue but strangely it was just from changing the ip address the ip we changed it too is on the same subnet we have on both sides allow to the subnet paricular ip so it seems a very stange issue why it would not allow  it
0
 

Author Comment

by:BarepAssets
ID: 24490692
that is allow the subnet not the particular ip
0
 

Author Closing Comment

by:BarepAssets
ID: 31582887
did not fix the issue but answered alot of questions asked
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This program is used to assist in finding and resolving common problems with wireless connections.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question