RDP won't work for SOME people with Cisco VPN

Baleout
Baleout used Ask the Experts™
on
Perhaps some of you have encountered this before - there are some postings but they seem to deal with a situation where Cisco VPN and RDP never work, not work for some people.....

I quite happily use Cisco VPN client 5.0.04.0300 from home and can RDP to a terminal server.   Quite a few clients tell me that whilst their VPN client connects, they cannot RDP, getting a server busy error or some such.  They are using the same .pcf file and same version of VPN client as myself.  I know there are more recent clients but am reluctant to roll them out unless i know that is the issue, and why would it be if mine works?   I had some trouble a few months ago with my router until I upgraded the firmware and I have been telling people to do that , but thus far they have all replied that the problem remains.  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
For these clients, it is constant? I would tend to think that it is their client machines then.

Author

Commented:
Well quite, but what aspect is the key.
Commented:
Check the MTU size.

I have seen this over site to site VPNs. It maybe that the MTU is being restrict by router or by ISP.

Mine was a router issue.

I presume the problem clients can ping the Terminal Server.

Use the following command at the Operating System prompt:
ping -f -l 1024 <IP Address>

Explanation of parameters: The switch "- f" (minus sign followed by lowercase F) indicates do not fragment. The second switch "-l" (minus sign followed by lowercase L) is for size, and the number following it indicates the packet size you will be sending. Some operating systems and TCP/IP stacks allow additional parameters, for example, "-n <number>", which indicates how many times the ping is sent.

If this PING passes successfully you will get a reply from the IP address specified. If the packet was too large you will get.the message:

"Packet needs to be fragmented but DF set"

You should reduce the packet size until you are successfully connecting. Then, use this successful size when specifying an MTU value.

Here is an excellent link regarding this issue.

http://rezanayem.wordpress.com/2008/12/14/adjustingtuning-tcp-mtu-for-remote-desktop-connection/

Hope this helps.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
You may have something there as I know I set my MTU to 1300 which I don't think is standard.  I'll get one of them to have a play tonight and ger back to you.

Commented:
Hello!

Please enable fragmentation on the router.
crypto ipsec df-bit clear

Also you can go set the mtu to 1300 on the clients, using the cisco tool "set MTU" where the VPN client is installed.

Please let me know if this helps.
Commented:
Acronyms, no joy wiith MTU = 1300 on its own.  Geergon, will try in combination with crypto ipsec df-bit clear tonight.

Commented:
Ok another crazy thing that has happened many times is the subnet your users are on.

Scenario: TS is in subnet 192.168.1.X on an IP address of 192.168.1.100.

Users home network is set to 192.168.1.x as default out of the box. Many users do this.

Are the problem users using the same subnet as the Internal network in the office?

With regards to the MTU try taking it down on the TS rather than the client side.

Here is a link to have a read however be careful as I have heard of servers slowing down when the MTU is reduced.
http://www.windowsreference.com/windows-2000/how-to-manually-set-the-mtu-size-in-windows-xp-2003-2000-vista/


Hope this helps.

 

Author

Commented:
Thanks for this, Acronyms and Geergon, I will try your suggestions in due time.  If I haven't come back to you, its only because the nature of the problem is such that I'm trying to find a user I trust to make changes to their router at home.  will come back in due course.  Geergon how do I execute   "crypto ipsec df-bit clear" . My router is a Linksys but I have no problem with mine.  There are quite a few different routers owned by staff though.  

Author

Commented:
Acronyms, I have to assume seeing as you haven't replied about how to execite your crypto command, that you are referring to a Cisco router which these aren't - they are varied homer usage.  Geergon, loved the fragmentation article.

I actually have managed to fix this problem though, by stepping back a couple of versions of the Cisco client to 5.0.02.0090.  While I don't like this solution, and its implications for upgrades, it works.  Whoever can offer me a plausible reason why I have had to move back to go forward as it were, can have the points.

Commented:
Actually the MTU stuff came from Acronyms and the crypto stuff from Geergon.

What OS are the problem clients on?? I have issues with various versions of Cisco clients working with different OS's.

No explanation as to why as I haven't got the time to go so deep.

Glad you found a solution.

Regards

Acronyms Team.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial