Solved

ASA 5510 site to site VPN RDP sessions hang - packet loss

Posted on 2011-02-16
4
3,768 Views
Last Modified: 2012-06-27
Hello,

Over the weekend I replaced a Smoothwall firewall with a new Cisco ASA 5510 at our datacenter.  We have a site to site VPN from our office to the datacenter that users connect to servers via RDP and we also use it to transfer data, etc.  I was able to get the ASA to connect to our local Smoothwall and I am able to pass traffic across the VPN, but remote desktop users are constantly dropping their connections.  This is very sporadic as some RDP sessions have gone up to 45 minutes without dropping while others drop their connection after only seconds.  the session usually reconnects, but not for long before it drops again.  We are also having issues transferring files as they timeout so the issue does not appear to be restricted to just RDP traffic.

I called Cisco TAC yesterday and after working with the agent for 3-4 hours yesterday and today he has not been able to resolve the issue.  He had me lower the MTU settings on both firewalls as well as on my client machine.  Other than that he has just basically looked at packet captures and logs.  

I have done some logging of my own on the ASA and I am seeing a lot of the same error which is:

Deny TCP (no connection) from 192.168.0.39/55578 to 192.168.1.211/3389 flags PSH ACK  on interface Outside

This message usually means that there is no associated connection in the ASA connection table.  But moments before these messages I can see the connection being built.

Built inbound TCP connection 1450832 for Outside:192.168.0.39/55590 (192.168.0.39/55590) to Inside:192.168.1.211/3389 (192.168.1.211/3389)

I have watched and as soon as my RDP session drops I start seeing the no connection messages.

I am currently waiting for a callback from TAC on this issue, but I am not holding my breathe as the agent has not been very helpful.
0
Comment
Question by:NickLarson
4 Comments
 
LVL 9

Expert Comment

by:gavving
ID: 34913743
Try adjusting the connection timeout settings.

timeout conn 8:00:00

That sets the connection timeout value to 8 hrs.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 34915213


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

and

group-policy NAME attributes
vpn-session-timeout X >> X in minutes
0
 
LVL 1

Accepted Solution

by:
alex_firewall_guy earned 500 total points
ID: 34916118
We ran into this with our first site to site tunnel as well.

We ended up adding the following commands to get it to work.

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df <interface name here>
crypto map <crypto map name and sequence number here> set security-association lifetime seconds 28800
crypto map <crypto map name and sequence number here> set security-association lifetime kilobytes 4608000
tunnel-group <peer name or ip here> ipsec-attributes
 isakmp keepalive threshold 3600 retry 10

We also had to reduce our MSS and tie that to our inspection policy like this

tcp-map mss-map
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
access-list http-list2 extended permit ip any any
class-map http-map1
 match access-list http-list2
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl
0
 

Author Closing Comment

by:NickLarson
ID: 34917769
Alex, thank you that seems to have worked perfectly.  We had actually already tried configuring the connection timeout stuff to no avail.

It was this part that got it working for us.

tcp-map mss-map
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
access-list http-list2 extended permit ip any any
class-map http-map1
 match access-list http-list2
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl

as you can see in this log, before I modified the config the TCP session was being torn down almost immediately and then the Deny TCP logs would start flowing in.

6      Feb 17 2011      09:05:20      302013      192.168.0.39      50315      192.168.1.211      3389      Built inbound TCP connection 2837967 for Outside:192.168.0.39/50315 (192.168.0.39/50315) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
6      Feb 17 2011      09:05:20      302013      192.168.0.39      50316      192.168.1.211      3389      Built inbound TCP connection 2837968 for Outside:192.168.0.39/50316 (192.168.0.39/50316) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
6      Feb 17 2011      09:05:20      302014      192.168.0.39      50315      192.168.1.211      3389      Teardown TCP connection 2837967 for Outside:192.168.0.39/50315 to Inside:192.168.1.211/3389 duration 0:00:00 bytes 38 TCP FINs
6      Feb 17 2011      09:06:22      302014      192.168.0.39      50316      192.168.1.211      3389      Teardown TCP connection 2837968 for Outside:192.168.0.39/50316 to Inside:192.168.1.211/3389 duration 0:01:02 bytes 226719 Tunnel has been torn down
6      Feb 17 2011      09:06:22      106015      192.168.1.211      3389      192.168.0.39      50316      Deny TCP (no connection) from 192.168.1.211/3389 to 192.168.0.39/50316 flags PSH ACK  on interface Inside

Now the TCP session is built and the only logs I see after that are ICMP keep-alives.

Thank you again for the quick response.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How VPC help preventing STP Loops 4 99
Cisco ASA and Watchguard firewall 2 38
ASA configuration 2 29
How to access and configure Cisco Air LAP1142N 3 17
Let’s list some of the technologies that enable smooth teleworking. 
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question