ASA 5510 site to site VPN RDP sessions hang - packet loss
Posted on 2011-02-16
Over the weekend I replaced a Smoothwall firewall with a new Cisco ASA 5510 at our datacenter. We have a site to site VPN from our office to the datacenter that users connect to servers via RDP and we also use it to transfer data, etc. I was able to get the ASA to connect to our local Smoothwall and I am able to pass traffic across the VPN, but remote desktop users are constantly dropping their connections. This is very sporadic as some RDP sessions have gone up to 45 minutes without dropping while others drop their connection after only seconds. the session usually reconnects, but not for long before it drops again. We are also having issues transferring files as they timeout so the issue does not appear to be restricted to just RDP traffic.
I called Cisco TAC yesterday and after working with the agent for 3-4 hours yesterday and today he has not been able to resolve the issue. He had me lower the MTU settings on both firewalls as well as on my client machine. Other than that he has just basically looked at packet captures and logs.
I have done some logging of my own on the ASA and I am seeing a lot of the same error which is:
Deny TCP (no connection) from 192.168.0.39/55578 to 192.168.1.211/3389 flags PSH ACK on interface Outside
This message usually means that there is no associated connection in the ASA connection table. But moments before these messages I can see the connection being built.
Built inbound TCP connection 1450832 for Outside:192.168.0.39/55590 (192.168.0.39/55590) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
I have watched and as soon as my RDP session drops I start seeing the no connection messages.
I am currently waiting for a callback from TAC on this issue, but I am not holding my breathe as the agent has not been very helpful.