RDP Disconnects

Posted on 2014-04-11
Last Modified: 2014-05-06
We are running Windows Server 2008 r2 Enterprise,    One of the roles is for Remote Desktop Services.    We run 2 terminal servers for our 2 branches. The access is also over a VPN tunnel. Each branch has their own router that connects back to us at the main branch  One server, started about a week ago or something causes the users to be disconnected.   They tell me they don't get any error messages, they just go back to their PC and the icon for the remote session is gone.... Nothing has changed in any settings.   They have to restart a new session and then get back in.    It has happened several times in a day.  They tell me it is all users when it happens.  
I have no idea where to start to see what is happening.  

I have tried finding something in the logs and don't see any specific warnings in the time frames,

Can someone give me some assistance on how to trouble shoot why this is happening?  Or other questions I should be asking the users to help pinpoint it?
Question by:bankwest
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 11

Expert Comment

ID: 39995134
Do you have a host or network-based intrusion prevention system?  We see this kind of behavior when the rules have been tightened a little too much, usually without anyone bothering to mention that they are being changed.  And worst of all, when the connections are dropped "for security reasons" it never bothers to notify the users what has happened. It just looks to them like it is broken.

Author Comment

ID: 39995138
We run Sonicwall routers and those have IPS running.     Ideas what I should look at since that could be the case.
LVL 11

Expert Comment

ID: 39995264
Is there an administrator for IPS?  You could ask them to look at the logs to see if it is being blocked at the time the users are reporting a problem.   It is common for only the security administrators to have access to these logs, which makes it hard to debug this kind of problem.

When you say you have looked at the logs, do you mean that you have looked at the windows event logs on the Windows 2008 server?  I would do that first.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39995274
Yes, the logs on the server.

Reason your first comment made sense was our main location Sonicwall had to be reconfigured  (long story) and its possible we have missed something.   No backup config file.   Bet that don't happen again.  Now I am the one trying to figure out how to fix

I am as good as its going to get on admin for IPS.   I have looked at router logs and one branch has a lot of

Unknown Porotocol dropped  Src IP     Dst. IP

But I don't see that particular message on the other one.
LVL 11

Accepted Solution

MajorBigDeal earned 500 total points
ID: 39995596
Based on that information it sounds like it might be a straight network configuration problem (possibly VPN related) rather than an IPS issue.   I didn't realize that the network was just reconfigured prior to the problem starting.  

What do the addresses  and correspond to?

Author Comment

ID: 39998979
I don't know and not sure how to find out????

I inherited this job and learning as I go.    So, sorry....but with some assistance I am willing to learn.  

If I ping -t, it comes back with IP address of 2 of my network printers.  Not sure why just those 2.    One is a Xerox 8560 and the other is a Sharp 453.   We have about 15 network printers.  Mostly HP.   But a few Sharp's and only the one Xerox
LVL 11

Expert Comment

ID: 40000471
If you are going to be the IP network admin, then the first thing you need to do is figure out exactly what all the connections in your network are.  

So starting at layer 1, you would identify what is connected to every port.   This can be quite difficult on a large network but hopefully yours is not that big.   The first thing I would do is make a list of every device that you think might be connected to your network and what its IP address is (not all devices have IP addresses) and what its MAC address is (a device connected to an ethernet port has to have a MAC address).

Then I would look at the tables on the routers and switches and for every single port, identify a correspondence to ip and mac addresses.  There can be more than one address on each port.  I would give you the commands for this but I am not familiar with SonicWall devices so you'll need to do some trial and error.   Update the spreadsheet some more.  Hopefully the info you find will not conflict with the info you previously collected and your knowledge of your network will be increasingly comprehensive.

Now review the info and look for discrepancies.  Are there any ports that are in use but you have not been able to identify what they are for?  Are there any addresses configured in a device but you don't know what port they are on? Are there any addresses showing up in your network but you don't know the corresponding device?  Doing this, you might find some devices that you did not previously know about and you will learn the network structure.

Once you have a map of your network, you will be in a much better position to debug problems.  Getting back to your current problem, I would suggesting temporarily turning off the IPS for as short a time as possible in order to see if the problem still happens.  If the problem still happens then you have eliminated the IPS as a cause.  If the problem stops happening then you have identified where you can focus your debugging.  Either way you will move forward in the debugging process.

Author Comment

ID: 40009786

You recommended to make a list of every device that you think might be connected to your network and what its IP address is (not all devices have IP addresses) and what its MAC address is (a device connected to an ethernet port has to have a MAC address).

I do have this list.

I have not had time to really dig into the Sonicwall

I hope to make more progress next week.
LVL 11

Expert Comment

ID: 40009932
OK, I don't think I'm going to be much help to you.    Perhaps someone with experience using a VPN on Sonicwall will drop by.   You might want to click on "request attention" and see if the moderators can bring someone more qualified into this question to try to help you.

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Modify Permissions 19 89
Remote desktop connection frequent connection lost 5 102
DNS logs 1 33
Windows 2008 R2 Core May 2017 Microsoft Updates 4 39
At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question