Solved

RDP Disconnects

Posted on 2014-04-11
9
184 Views
Last Modified: 2014-05-06
We are running Windows Server 2008 r2 Enterprise,    One of the roles is for Remote Desktop Services.    We run 2 terminal servers for our 2 branches. The access is also over a VPN tunnel. Each branch has their own router that connects back to us at the main branch  One server, started about a week ago or something causes the users to be disconnected.   They tell me they don't get any error messages, they just go back to their PC and the icon for the remote session is gone.... Nothing has changed in any settings.   They have to restart a new session and then get back in.    It has happened several times in a day.  They tell me it is all users when it happens.  
I have no idea where to start to see what is happening.  

I have tried finding something in the logs and don't see any specific warnings in the time frames,

Can someone give me some assistance on how to trouble shoot why this is happening?  Or other questions I should be asking the users to help pinpoint it?
0
Comment
Question by:bankwest
  • 5
  • 4
9 Comments
 
LVL 11

Expert Comment

by:MajorBigDeal
Comment Utility
Do you have a host or network-based intrusion prevention system?  We see this kind of behavior when the rules have been tightened a little too much, usually without anyone bothering to mention that they are being changed.  And worst of all, when the connections are dropped "for security reasons" it never bothers to notify the users what has happened. It just looks to them like it is broken.
0
 

Author Comment

by:bankwest
Comment Utility
We run Sonicwall routers and those have IPS running.     Ideas what I should look at since that could be the case.
0
 
LVL 11

Expert Comment

by:MajorBigDeal
Comment Utility
Is there an administrator for IPS?  You could ask them to look at the logs to see if it is being blocked at the time the users are reporting a problem.   It is common for only the security administrators to have access to these logs, which makes it hard to debug this kind of problem.

When you say you have looked at the logs, do you mean that you have looked at the windows event logs on the Windows 2008 server?  I would do that first.
0
 

Author Comment

by:bankwest
Comment Utility
Yes, the logs on the server.

Reason your first comment made sense was our main location Sonicwall had to be reconfigured  (long story) and its possible we have missed something.   No backup config file.   Bet that don't happen again.  Now I am the one trying to figure out how to fix

I am as good as its going to get on admin for IPS.   I have looked at router logs and one branch has a lot of

Unknown Porotocol dropped  Src IP  10.0.0.2     Dst. IP 224.0.0.1

But I don't see that particular message on the other one.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 11

Accepted Solution

by:
MajorBigDeal earned 500 total points
Comment Utility
Based on that information it sounds like it might be a straight network configuration problem (possibly VPN related) rather than an IPS issue.   I didn't realize that the network was just reconfigured prior to the problem starting.  

What do the addresses 10.0.0.2  and 224.0.0.1 correspond to?
0
 

Author Comment

by:bankwest
Comment Utility
I don't know and not sure how to find out????

I inherited this job and learning as I go.    So, sorry....but with some assistance I am willing to learn.  

If I ping -t      224.0.0.1, it comes back with IP address of 2 of my network printers.  Not sure why just those 2.    One is a Xerox 8560 and the other is a Sharp 453.   We have about 15 network printers.  Mostly HP.   But a few Sharp's and only the one Xerox
0
 
LVL 11

Expert Comment

by:MajorBigDeal
Comment Utility
If you are going to be the IP network admin, then the first thing you need to do is figure out exactly what all the connections in your network are.  

So starting at layer 1, you would identify what is connected to every port.   This can be quite difficult on a large network but hopefully yours is not that big.   The first thing I would do is make a list of every device that you think might be connected to your network and what its IP address is (not all devices have IP addresses) and what its MAC address is (a device connected to an ethernet port has to have a MAC address).

Then I would look at the tables on the routers and switches and for every single port, identify a correspondence to ip and mac addresses.  There can be more than one address on each port.  I would give you the commands for this but I am not familiar with SonicWall devices so you'll need to do some trial and error.   Update the spreadsheet some more.  Hopefully the info you find will not conflict with the info you previously collected and your knowledge of your network will be increasingly comprehensive.

Now review the info and look for discrepancies.  Are there any ports that are in use but you have not been able to identify what they are for?  Are there any addresses configured in a device but you don't know what port they are on? Are there any addresses showing up in your network but you don't know the corresponding device?  Doing this, you might find some devices that you did not previously know about and you will learn the network structure.

Once you have a map of your network, you will be in a much better position to debug problems.  Getting back to your current problem, I would suggesting temporarily turning off the IPS for as short a time as possible in order to see if the problem still happens.  If the problem still happens then you have eliminated the IPS as a cause.  If the problem stops happening then you have identified where you can focus your debugging.  Either way you will move forward in the debugging process.
0
 

Author Comment

by:bankwest
Comment Utility
MajorBigDeal

You recommended to make a list of every device that you think might be connected to your network and what its IP address is (not all devices have IP addresses) and what its MAC address is (a device connected to an ethernet port has to have a MAC address).

I do have this list.

I have not had time to really dig into the Sonicwall

I hope to make more progress next week.
0
 
LVL 11

Expert Comment

by:MajorBigDeal
Comment Utility
OK, I don't think I'm going to be much help to you.    Perhaps someone with experience using a VPN on Sonicwall will drop by.   You might want to click on "request attention" and see if the moderators can bring someone more qualified into this question to try to help you.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now