Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4176
  • Last Modified:

ASA 5510 site to site VPN RDP sessions hang - packet loss

Hello,

Over the weekend I replaced a Smoothwall firewall with a new Cisco ASA 5510 at our datacenter.  We have a site to site VPN from our office to the datacenter that users connect to servers via RDP and we also use it to transfer data, etc.  I was able to get the ASA to connect to our local Smoothwall and I am able to pass traffic across the VPN, but remote desktop users are constantly dropping their connections.  This is very sporadic as some RDP sessions have gone up to 45 minutes without dropping while others drop their connection after only seconds.  the session usually reconnects, but not for long before it drops again.  We are also having issues transferring files as they timeout so the issue does not appear to be restricted to just RDP traffic.

I called Cisco TAC yesterday and after working with the agent for 3-4 hours yesterday and today he has not been able to resolve the issue.  He had me lower the MTU settings on both firewalls as well as on my client machine.  Other than that he has just basically looked at packet captures and logs.  

I have done some logging of my own on the ASA and I am seeing a lot of the same error which is:

Deny TCP (no connection) from 192.168.0.39/55578 to 192.168.1.211/3389 flags PSH ACK  on interface Outside

This message usually means that there is no associated connection in the ASA connection table.  But moments before these messages I can see the connection being built.

Built inbound TCP connection 1450832 for Outside:192.168.0.39/55590 (192.168.0.39/55590) to Inside:192.168.1.211/3389 (192.168.1.211/3389)

I have watched and as soon as my RDP session drops I start seeing the no connection messages.

I am currently waiting for a callback from TAC on this issue, but I am not holding my breathe as the agent has not been very helpful.
0
NickLarson
Asked:
NickLarson
1 Solution
 
gavvingCommented:
Try adjusting the connection timeout settings.

timeout conn 8:00:00

That sets the connection timeout value to 8 hrs.
0
 
memo_tntCommented:


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

and

group-policy NAME attributes
vpn-session-timeout X >> X in minutes
0
 
alex_firewall_guyCommented:
We ran into this with our first site to site tunnel as well.

We ended up adding the following commands to get it to work.

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df <interface name here>
crypto map <crypto map name and sequence number here> set security-association lifetime seconds 28800
crypto map <crypto map name and sequence number here> set security-association lifetime kilobytes 4608000
tunnel-group <peer name or ip here> ipsec-attributes
 isakmp keepalive threshold 3600 retry 10

We also had to reduce our MSS and tie that to our inspection policy like this

tcp-map mss-map
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
access-list http-list2 extended permit ip any any
class-map http-map1
 match access-list http-list2
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl
0
 
NickLarsonAuthor Commented:
Alex, thank you that seems to have worked perfectly.  We had actually already tried configuring the connection timeout stuff to no avail.

It was this part that got it working for us.

tcp-map mss-map
sysopt connection tcpmss 1200
sysopt connection preserve-vpn-flows
access-list http-list2 extended permit ip any any
class-map http-map1
 match access-list http-list2
policy-map global_policy
 class http-map1
  set connection advanced-options mss-map
 class class-default
  set connection random-sequence-number disable
  set connection decrement-ttl

as you can see in this log, before I modified the config the TCP session was being torn down almost immediately and then the Deny TCP logs would start flowing in.

6      Feb 17 2011      09:05:20      302013      192.168.0.39      50315      192.168.1.211      3389      Built inbound TCP connection 2837967 for Outside:192.168.0.39/50315 (192.168.0.39/50315) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
6      Feb 17 2011      09:05:20      302013      192.168.0.39      50316      192.168.1.211      3389      Built inbound TCP connection 2837968 for Outside:192.168.0.39/50316 (192.168.0.39/50316) to Inside:192.168.1.211/3389 (192.168.1.211/3389)
6      Feb 17 2011      09:05:20      302014      192.168.0.39      50315      192.168.1.211      3389      Teardown TCP connection 2837967 for Outside:192.168.0.39/50315 to Inside:192.168.1.211/3389 duration 0:00:00 bytes 38 TCP FINs
6      Feb 17 2011      09:06:22      302014      192.168.0.39      50316      192.168.1.211      3389      Teardown TCP connection 2837968 for Outside:192.168.0.39/50316 to Inside:192.168.1.211/3389 duration 0:01:02 bytes 226719 Tunnel has been torn down
6      Feb 17 2011      09:06:22      106015      192.168.1.211      3389      192.168.0.39      50316      Deny TCP (no connection) from 192.168.1.211/3389 to 192.168.0.39/50316 flags PSH ACK  on interface Inside

Now the TCP session is built and the only logs I see after that are ICMP keep-alives.

Thank you again for the quick response.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now