RDP Disconnects

Posted on 2014-04-11
Last Modified: 2014-05-06
We are running Windows Server 2008 r2 Enterprise,    One of the roles is for Remote Desktop Services.    We run 2 terminal servers for our 2 branches. The access is also over a VPN tunnel. Each branch has their own router that connects back to us at the main branch  One server, started about a week ago or something causes the users to be disconnected.   They tell me they don't get any error messages, they just go back to their PC and the icon for the remote session is gone.... Nothing has changed in any settings.   They have to restart a new session and then get back in.    It has happened several times in a day.  They tell me it is all users when it happens.  
I have no idea where to start to see what is happening.  

I have tried finding something in the logs and don't see any specific warnings in the time frames,

Can someone give me some assistance on how to trouble shoot why this is happening?  Or other questions I should be asking the users to help pinpoint it?
Question by:bankwest
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 11

Expert Comment

ID: 39995134
Do you have a host or network-based intrusion prevention system?  We see this kind of behavior when the rules have been tightened a little too much, usually without anyone bothering to mention that they are being changed.  And worst of all, when the connections are dropped "for security reasons" it never bothers to notify the users what has happened. It just looks to them like it is broken.

Author Comment

ID: 39995138
We run Sonicwall routers and those have IPS running.     Ideas what I should look at since that could be the case.
LVL 11

Expert Comment

ID: 39995264
Is there an administrator for IPS?  You could ask them to look at the logs to see if it is being blocked at the time the users are reporting a problem.   It is common for only the security administrators to have access to these logs, which makes it hard to debug this kind of problem.

When you say you have looked at the logs, do you mean that you have looked at the windows event logs on the Windows 2008 server?  I would do that first.
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Author Comment

ID: 39995274
Yes, the logs on the server.

Reason your first comment made sense was our main location Sonicwall had to be reconfigured  (long story) and its possible we have missed something.   No backup config file.   Bet that don't happen again.  Now I am the one trying to figure out how to fix

I am as good as its going to get on admin for IPS.   I have looked at router logs and one branch has a lot of

Unknown Porotocol dropped  Src IP     Dst. IP

But I don't see that particular message on the other one.
LVL 11

Accepted Solution

MajorBigDeal earned 500 total points
ID: 39995596
Based on that information it sounds like it might be a straight network configuration problem (possibly VPN related) rather than an IPS issue.   I didn't realize that the network was just reconfigured prior to the problem starting.  

What do the addresses  and correspond to?

Author Comment

ID: 39998979
I don't know and not sure how to find out????

I inherited this job and learning as I go.    So, sorry....but with some assistance I am willing to learn.  

If I ping -t, it comes back with IP address of 2 of my network printers.  Not sure why just those 2.    One is a Xerox 8560 and the other is a Sharp 453.   We have about 15 network printers.  Mostly HP.   But a few Sharp's and only the one Xerox
LVL 11

Expert Comment

ID: 40000471
If you are going to be the IP network admin, then the first thing you need to do is figure out exactly what all the connections in your network are.  

So starting at layer 1, you would identify what is connected to every port.   This can be quite difficult on a large network but hopefully yours is not that big.   The first thing I would do is make a list of every device that you think might be connected to your network and what its IP address is (not all devices have IP addresses) and what its MAC address is (a device connected to an ethernet port has to have a MAC address).

Then I would look at the tables on the routers and switches and for every single port, identify a correspondence to ip and mac addresses.  There can be more than one address on each port.  I would give you the commands for this but I am not familiar with SonicWall devices so you'll need to do some trial and error.   Update the spreadsheet some more.  Hopefully the info you find will not conflict with the info you previously collected and your knowledge of your network will be increasingly comprehensive.

Now review the info and look for discrepancies.  Are there any ports that are in use but you have not been able to identify what they are for?  Are there any addresses configured in a device but you don't know what port they are on? Are there any addresses showing up in your network but you don't know the corresponding device?  Doing this, you might find some devices that you did not previously know about and you will learn the network structure.

Once you have a map of your network, you will be in a much better position to debug problems.  Getting back to your current problem, I would suggesting temporarily turning off the IPS for as short a time as possible in order to see if the problem still happens.  If the problem still happens then you have eliminated the IPS as a cause.  If the problem stops happening then you have identified where you can focus your debugging.  Either way you will move forward in the debugging process.

Author Comment

ID: 40009786

You recommended to make a list of every device that you think might be connected to your network and what its IP address is (not all devices have IP addresses) and what its MAC address is (a device connected to an ethernet port has to have a MAC address).

I do have this list.

I have not had time to really dig into the Sonicwall

I hope to make more progress next week.
LVL 11

Expert Comment

ID: 40009932
OK, I don't think I'm going to be much help to you.    Perhaps someone with experience using a VPN on Sonicwall will drop by.   You might want to click on "request attention" and see if the moderators can bring someone more qualified into this question to try to help you.

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question