terminal server RDP session through site-to-site VPN

Well, here I am with another stumbling block.

Desired Outline:

RDP terminal server session ---> Cisco ASA 5505 ---> Colo ASA 5510 ---> switch ---> TS



Our branch office has a MPLS T1 as their primary and the Site-to-site VPN is their backup. I was all TS rdp session to go through the VPN, and everything else to use the T1.

I assume I can do this via policy based routing or a general ip route.

Test:
I configured a ip route <server IP> <ASA inside interface>

Branch office ASA ACL:
access-list outside-in extended permit any interface outside eq 3389

Colo ASA ACL:
access-list outside-in extended permit any interface outside eq 3389


Other configs:
I create a rdp-mss class-map

and I tried "crypto ipsec df-bit clear"

I can ping the Terminal server, but, it will not initiate a RDP session.

I also performed a telnet <server IP> 3389, but, the connection failed.


Thank you again ahead of time. I'll paste my configs later.
RenoGryphonAsked:
Who is Participating?
 
RenoGryphonAuthor Commented:
Very sorry for the long wait we have been able to resolve this issue.
Thank again everyone for the help!!
0
 
Ned RamsayNetwork Operations ManagerCommented:
1) confirm with traceroute that the packets are going on the desired path, not going over the MPLS.
2) try pinging/traceroute from the terminal server back to HQ (did you setup a static route on the terminal servers end to route back via the VPN?)

If 1 and 2 work then the problem is likely the server.

Check the TS for OS based static routes (ive seen this happen so many times).
Ensure the terminal server has the VPN network in its allowed list for RDP and the firewall is disabled (may not see it as a trusted connection).
0
 
asavenerCommented:
I don't think you need the firewall rules; the traffic should be coming in over the VPN, which will bypass firewall rules.

Can you run "show crypto ipsec sa" on both ASAs?

Then try the RDP session.

Then "show crypto ipsec sa" again on both ASAs.

We're looking for the encaps/decaps counters to increase symmetrically on both ASAs.


I suspect what is happening is that you've got an asymmetric route.  Pings will work because they're stateless; RDP fails because the ASA doesn't see a successful 3-way handshake.


Example:  

SYN:  ServerA->MPLSRouterA->ASA-A->VPN->ASA-B->ServerB

SYN-ACK: ServerB->MPLSRouterB->MPLS->MPLSRouterA->ServerA

ACK: ServerA->MPLSRouterA->ASA-A (Blocked!  The ASA never saw the SYN-ACK from ServerB, so it doesn't think it's a valid connection.)


You will have to add a route on the RDP server to route all traffic to SiteA through the VPN.

If this test works, then you can configure policy-based routing so that only RDP traffic is sent over the VPN.

The more complexity you add, though, the more difficult it will be to support the solution.
0
 
RenoGryphonAuthor Commented:
Thank you both for your help!! ASAvener, I don't know why I didn't consider this reason for ICMP working and not TCP.
I'll make sure to do what you instructed on each ASA and then post the results.

After this I can then start working on the rest.
0
 
RenoGryphonAuthor Commented:
We were able to provide a different solution :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.