Solved

ASA 5510 site to site VPN RDP sessions hang - packet loss

Posted on 2011-02-16
4
3,706 Views
Last Modified: 2012-06-27
Hello,

Over the weekend I replaced a Smoothwall firewall with a new Cisco ASA 5510 at our datacenter.  We have a site to site VPN from our office to the datacenter that users connect to servers via RDP and we also use it to transfer data, etc.  I was able to get the ASA to connect to our local Smoothwall and I am able to pass traffic across the VPN, but remote desktop users are constantly dropping their connections.  This is very sporadic as some RDP sessions have gone up to 45 minutes without dropping while others drop their connection after only seconds.  the session usually reconnects, but not for long before it drops again.  We are also having issues transferring files as they timeout so the issue does not appear to be restricted to just RDP traffic.

I called Cisco TAC yesterday and after working with the agent for 3-4 hours yesterday and today he has not been able to resolve the issue.  He had me lower the MTU settings on both firewalls as well as on my client machine.  Other than that he has just basically looked at packet captures and logs.  

I have done some logging of my own on the ASA and I am seeing a lot of the same error which is:

Deny TCP (no connection) from 192.168.0.39/55578 to 192.168.1.211/3389 flags PSH ACK  on interface Outside

This message usually means that there is no associated connection in the ASA connection table.  But moments before these messages I can see the connection being built.

Built inbound TCP connection 1450832 for Outside:192.168.0.39/55590 (192.168.0.39/55590) to Inside:192.168.1.211/3389 (192.168.1.211/3389)

I have watched and as soon as my RDP session drops I start seeing the no connection messages.

I am currently waiting for a callback from TAC on this issue, but I am not holding my breathe as the agent has not been very helpful.
0
Comment
Question by:NickLarson
4 Comments
 
LVL 9

Expert Comment

by:gavving
Comment Utility
Try adjusting the connection timeout settings.

timeout conn 8:00:00

That sets the connection timeout value to 8 hrs.
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

and

group-policy NAME attributes
vpn-session-timeout X >> X in minutes
0
 
LVL 1

Accepted Solution

by:
alex_firewall_guy earned 500 total points
Comment Utility
We ran into this with our first site to site tunnel as well.

We ended up adding the following commands to get it to work.

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df <interface name here>
crypto map <crypto map name and sequence number here> set security-association lifetime seconds 28800
crypto map <crypto map name and sequence number here> set security-association lifetime kilobytes 4608000
tunnel-group <peer name or ip here> ipsec-attributes
 isakmp keepalive threshold 3600 retry 10

We also had to reduce our MSS and tie that to our inspection policy like this

tcp-map mss-map
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
access-list http-list2 extended permit ip any any
class-map http-map1
 match access-list http-list2
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl
0
 

Author Closing Comment

by:NickLarson
Comment Utility
Alex, thank you that seems to have worked perfectly.  We had actually already tried configuring the connection timeout stuff to no avail.

It was this part that got it working for us.

tcp-map mss-map
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
access-list http-list2 extended permit ip any any
class-map http-map1
 match access-list http-list2
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl

as you can see in this log, before I modified the config the TCP session was being torn down almost immediately and then the Deny TCP logs would start flowing in.

6      Feb 17 2011      09:05:20      302013      192.168.0.39      50315      192.168.1.211      3389      Built inbound TCP connection 2837967 for Outside:192.168.0.39/50315 (192.168.0.39/50315) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
6      Feb 17 2011      09:05:20      302013      192.168.0.39      50316      192.168.1.211      3389      Built inbound TCP connection 2837968 for Outside:192.168.0.39/50316 (192.168.0.39/50316) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
6      Feb 17 2011      09:05:20      302014      192.168.0.39      50315      192.168.1.211      3389      Teardown TCP connection 2837967 for Outside:192.168.0.39/50315 to Inside:192.168.1.211/3389 duration 0:00:00 bytes 38 TCP FINs
6      Feb 17 2011      09:06:22      302014      192.168.0.39      50316      192.168.1.211      3389      Teardown TCP connection 2837968 for Outside:192.168.0.39/50316 to Inside:192.168.1.211/3389 duration 0:01:02 bytes 226719 Tunnel has been torn down
6      Feb 17 2011      09:06:22      106015      192.168.1.211      3389      192.168.0.39      50316      Deny TCP (no connection) from 192.168.1.211/3389 to 192.168.0.39/50316 flags PSH ACK  on interface Inside

Now the TCP session is built and the only logs I see after that are ICMP keep-alives.

Thank you again for the quick response.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now