Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASA 5510 site to site VPN RDP sessions hang - packet loss

Posted on 2011-02-16
4
Medium Priority
?
4,030 Views
Last Modified: 2012-06-27
Hello,

Over the weekend I replaced a Smoothwall firewall with a new Cisco ASA 5510 at our datacenter.  We have a site to site VPN from our office to the datacenter that users connect to servers via RDP and we also use it to transfer data, etc.  I was able to get the ASA to connect to our local Smoothwall and I am able to pass traffic across the VPN, but remote desktop users are constantly dropping their connections.  This is very sporadic as some RDP sessions have gone up to 45 minutes without dropping while others drop their connection after only seconds.  the session usually reconnects, but not for long before it drops again.  We are also having issues transferring files as they timeout so the issue does not appear to be restricted to just RDP traffic.

I called Cisco TAC yesterday and after working with the agent for 3-4 hours yesterday and today he has not been able to resolve the issue.  He had me lower the MTU settings on both firewalls as well as on my client machine.  Other than that he has just basically looked at packet captures and logs.  

I have done some logging of my own on the ASA and I am seeing a lot of the same error which is:

Deny TCP (no connection) from 192.168.0.39/55578 to 192.168.1.211/3389 flags PSH ACK  on interface Outside

This message usually means that there is no associated connection in the ASA connection table.  But moments before these messages I can see the connection being built.

Built inbound TCP connection 1450832 for Outside:192.168.0.39/55590 (192.168.0.39/55590) to Inside:192.168.1.211/3389 (192.168.1.211/3389)

I have watched and as soon as my RDP session drops I start seeing the no connection messages.

I am currently waiting for a callback from TAC on this issue, but I am not holding my breathe as the agent has not been very helpful.
0
Comment
Question by:NickLarson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 9

Expert Comment

by:gavving
ID: 34913743
Try adjusting the connection timeout settings.

timeout conn 8:00:00

That sets the connection timeout value to 8 hrs.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 34915213


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

and

group-policy NAME attributes
vpn-session-timeout X >> X in minutes
0
 
LVL 1

Accepted Solution

by:
alex_firewall_guy earned 2000 total points
ID: 34916118
We ran into this with our first site to site tunnel as well.

We ended up adding the following commands to get it to work.

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df <interface name here>
crypto map <crypto map name and sequence number here> set security-association lifetime seconds 28800
crypto map <crypto map name and sequence number here> set security-association lifetime kilobytes 4608000
tunnel-group <peer name or ip here> ipsec-attributes
 isakmp keepalive threshold 3600 retry 10

We also had to reduce our MSS and tie that to our inspection policy like this

tcp-map mss-map
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
access-list http-list2 extended permit ip any any
class-map http-map1
 match access-list http-list2
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl
0
 

Author Closing Comment

by:NickLarson
ID: 34917769
Alex, thank you that seems to have worked perfectly.  We had actually already tried configuring the connection timeout stuff to no avail.

It was this part that got it working for us.

tcp-map mss-map
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
access-list http-list2 extended permit ip any any
class-map http-map1
 match access-list http-list2
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl

as you can see in this log, before I modified the config the TCP session was being torn down almost immediately and then the Deny TCP logs would start flowing in.

6      Feb 17 2011      09:05:20      302013      192.168.0.39      50315      192.168.1.211      3389      Built inbound TCP connection 2837967 for Outside:192.168.0.39/50315 (192.168.0.39/50315) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
6      Feb 17 2011      09:05:20      302013      192.168.0.39      50316      192.168.1.211      3389      Built inbound TCP connection 2837968 for Outside:192.168.0.39/50316 (192.168.0.39/50316) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
6      Feb 17 2011      09:05:20      302014      192.168.0.39      50315      192.168.1.211      3389      Teardown TCP connection 2837967 for Outside:192.168.0.39/50315 to Inside:192.168.1.211/3389 duration 0:00:00 bytes 38 TCP FINs
6      Feb 17 2011      09:06:22      302014      192.168.0.39      50316      192.168.1.211      3389      Teardown TCP connection 2837968 for Outside:192.168.0.39/50316 to Inside:192.168.1.211/3389 duration 0:01:02 bytes 226719 Tunnel has been torn down
6      Feb 17 2011      09:06:22      106015      192.168.1.211      3389      192.168.0.39      50316      Deny TCP (no connection) from 192.168.1.211/3389 to 192.168.0.39/50316 flags PSH ACK  on interface Inside

Now the TCP session is built and the only logs I see after that are ICMP keep-alives.

Thank you again for the quick response.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question