Sonicwall NSA2400 VPN keeps dropping RDP sessions into server 2008

I have a client that has two windows 2k8 R2 servers setup as Terminal Servers.  They have sonicwall NSA2400 and use an IPSEC vpn for remote clients. The problem occurs when remote users connect by VPN and then remote desktop into the TS. The following events occurL

1. They will login into the TS and will be kicked off and the connection wont reconnect
2. They cant remote into the TS and the get an error message to contact Admin.

I used wireshark and found that they get TCP RST from the RDP port.

Any suggestion?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
For number 1, is the timeout allowance long enough? Default VPN timeouts tend to drop the connection in the time taken for a coffee break and I have to increase the allowance. Then the server session would have to be reset because of the unceremoniously dropped session.

For number 2, I do not understand why they would get a TCP Reset Attack message in a secure tunnel. Is the VPN pre-shared key strong enough?  Are the users using WEP wireless or unsecured wireless?  I have not seen this message.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
miamitech305Author Commented:
John,  The vpn is set not to timeout and the vpn doesnt get disconnected. Only the RDP session while on the VPN. While on the RDP session is when i got the TCP reset attack message. Onces disconnected from TS, im still on the vpn.
JohnBusiness Consultant (Owner)Commented:
I would combine your comment above with number 2 and ask if the problem machine has been scanned thoroughly for viruses and malware.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

miamitech305Author Commented:
Yes, I have tried this on different machines, including out of the box dell laptops.
miamitech305Author Commented:
Also if i sit in my clients office i can remote into the TS servers and never be disconnected.
Does the sonicwall use radius/windows AD based authentication/authorization for the VPN users?

MTU, IP of VPN connection.
Does this issue happen to every user or to some? If to some, does this issue correspond to those users being locked out for too many failed logon attempts?  If so, are those users resume an already running TS session that may have been started before the recent password change?

Are there eventlog entries reflecting failures on the security log side, or .......
JohnBusiness Consultant (Owner)Commented:
Yes, I have tried this on different machines, including out of the box dell laptops.
Also if I sit in my clients office i can remote into the TS servers and never be disconnected.

Are you saying new machines on IP (A) work differently than your machine in IP (A)?
Or, are the problem machines on IP (B)?  If the latter, then is IP (B) on a blacklist.
miamitech305Author Commented:
No if I connect by vpn I get the same ip and subnet as if I was physical on the network.
miamitech305Author Commented:
Problem only occurs when on vpn.
JohnBusiness Consultant (Owner)Commented:
I should have specified External IP addresses. Are you and the problem devices on the same External IP or different IP.

I understand about the internal IP as that is how VPN works, and I understand the issue is while on VPN.

So then are you and the problem devices coming from different external IP's ?
miamitech305Author Commented:
define External IP please.
JohnBusiness Consultant (Owner)Commented:
An internal IP is a 192.168.x.x or 10.x.x.x or 172.x.x.x range inside a LAN. An external IP is an address outside the LAN.

A VPN goes:  internal to external:  internet   :external to internal.

I am looking to see if your good machine is on the same external IP as the problem machine.
miamitech305Author Commented:
Every user who has this problem comes from a different external IP address.
JohnBusiness Consultant (Owner)Commented:
So then you are seeing TCP reset attacks from other networks and you now might wish to see if these other external networks are blacklisted in some way. Something is saying to your network that these external networks are problems. I have never seen this message on a good network with a good computer.
miamitech305Author Commented:
I connect to my clients network using a domain account. I recieve an IP address from the domain DHCP, that is same ip subnet if i was sitting in the office, I can stay on the vpn all day and have no issues. If i RDP in to the terminal server that is when i get kicked off of RDP not VPN. I used wireshark on the vpn lan that captures only internal traffic and i get the TCP reset attack.
JohnBusiness Consultant (Owner)Commented:
Look at you Wirrshark packets or logs and see if you can see a pattern to the attacks. Perhaps your inside network does not like external log ins. See if you can see anything in the packets.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.