RDP Disconnects

We are running Windows Server 2008 r2 Enterprise,    One of the roles is for Remote Desktop Services.    We run 2 terminal servers for our 2 branches. The access is also over a VPN tunnel. Each branch has their own router that connects back to us at the main branch  One server, started about a week ago or something causes the users to be disconnected.   They tell me they don't get any error messages, they just go back to their PC and the icon for the remote session is gone.... Nothing has changed in any settings.   They have to restart a new session and then get back in.    It has happened several times in a day.  They tell me it is all users when it happens.  
I have no idea where to start to see what is happening.  

I have tried finding something in the logs and don't see any specific warnings in the time frames,

Can someone give me some assistance on how to trouble shoot why this is happening?  Or other questions I should be asking the users to help pinpoint it?
bankwestCTO/CashierAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
MajorBigDealConnect With a Mentor Commented:
Based on that information it sounds like it might be a straight network configuration problem (possibly VPN related) rather than an IPS issue.   I didn't realize that the network was just reconfigured prior to the problem starting.  

What do the addresses 10.0.0.2  and 224.0.0.1 correspond to?
0
 
MajorBigDealCommented:
Do you have a host or network-based intrusion prevention system?  We see this kind of behavior when the rules have been tightened a little too much, usually without anyone bothering to mention that they are being changed.  And worst of all, when the connections are dropped "for security reasons" it never bothers to notify the users what has happened. It just looks to them like it is broken.
0
 
bankwestCTO/CashierAuthor Commented:
We run Sonicwall routers and those have IPS running.     Ideas what I should look at since that could be the case.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
MajorBigDealCommented:
Is there an administrator for IPS?  You could ask them to look at the logs to see if it is being blocked at the time the users are reporting a problem.   It is common for only the security administrators to have access to these logs, which makes it hard to debug this kind of problem.

When you say you have looked at the logs, do you mean that you have looked at the windows event logs on the Windows 2008 server?  I would do that first.
0
 
bankwestCTO/CashierAuthor Commented:
Yes, the logs on the server.

Reason your first comment made sense was our main location Sonicwall had to be reconfigured  (long story) and its possible we have missed something.   No backup config file.   Bet that don't happen again.  Now I am the one trying to figure out how to fix

I am as good as its going to get on admin for IPS.   I have looked at router logs and one branch has a lot of

Unknown Porotocol dropped  Src IP  10.0.0.2     Dst. IP 224.0.0.1

But I don't see that particular message on the other one.
0
 
bankwestCTO/CashierAuthor Commented:
I don't know and not sure how to find out????

I inherited this job and learning as I go.    So, sorry....but with some assistance I am willing to learn.  

If I ping -t      224.0.0.1, it comes back with IP address of 2 of my network printers.  Not sure why just those 2.    One is a Xerox 8560 and the other is a Sharp 453.   We have about 15 network printers.  Mostly HP.   But a few Sharp's and only the one Xerox
0
 
MajorBigDealCommented:
If you are going to be the IP network admin, then the first thing you need to do is figure out exactly what all the connections in your network are.  

So starting at layer 1, you would identify what is connected to every port.   This can be quite difficult on a large network but hopefully yours is not that big.   The first thing I would do is make a list of every device that you think might be connected to your network and what its IP address is (not all devices have IP addresses) and what its MAC address is (a device connected to an ethernet port has to have a MAC address).

Then I would look at the tables on the routers and switches and for every single port, identify a correspondence to ip and mac addresses.  There can be more than one address on each port.  I would give you the commands for this but I am not familiar with SonicWall devices so you'll need to do some trial and error.   Update the spreadsheet some more.  Hopefully the info you find will not conflict with the info you previously collected and your knowledge of your network will be increasingly comprehensive.

Now review the info and look for discrepancies.  Are there any ports that are in use but you have not been able to identify what they are for?  Are there any addresses configured in a device but you don't know what port they are on? Are there any addresses showing up in your network but you don't know the corresponding device?  Doing this, you might find some devices that you did not previously know about and you will learn the network structure.

Once you have a map of your network, you will be in a much better position to debug problems.  Getting back to your current problem, I would suggesting temporarily turning off the IPS for as short a time as possible in order to see if the problem still happens.  If the problem still happens then you have eliminated the IPS as a cause.  If the problem stops happening then you have identified where you can focus your debugging.  Either way you will move forward in the debugging process.
0
 
bankwestCTO/CashierAuthor Commented:
MajorBigDeal

You recommended to make a list of every device that you think might be connected to your network and what its IP address is (not all devices have IP addresses) and what its MAC address is (a device connected to an ethernet port has to have a MAC address).

I do have this list.

I have not had time to really dig into the Sonicwall

I hope to make more progress next week.
0
 
MajorBigDealCommented:
OK, I don't think I'm going to be much help to you.    Perhaps someone with experience using a VPN on Sonicwall will drop by.   You might want to click on "request attention" and see if the moderators can bring someone more qualified into this question to try to help you.
0
All Courses

From novice to tech pro — start learning today.