We help IT Professionals succeed at work.

Sonicwall NSA2400 VPN keeps dropping RDP sessions into server 2008

I have a client that has two windows 2k8 R2 servers setup as Terminal Servers.  They have sonicwall NSA2400 and use an IPSEC vpn for remote clients. The problem occurs when remote users connect by VPN and then remote desktop into the TS. The following events occurL

1. They will login into the TS and will be kicked off and the connection wont reconnect
2. They cant remote into the TS and the get an error message to contact Admin.

I used wireshark and found that they get TCP RST from the RDP port.

Any suggestion?
Comment
Watch Question

Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
For number 1, is the timeout allowance long enough? Default VPN timeouts tend to drop the connection in the time taken for a coffee break and I have to increase the allowance. Then the server session would have to be reset because of the unceremoniously dropped session.

For number 2, I do not understand why they would get a TCP Reset Attack message in a secure tunnel. Is the VPN pre-shared key strong enough?  Are the users using WEP wireless or unsecured wireless?  I have not seen this message.

Author

Commented:
John,  The vpn is set not to timeout and the vpn doesnt get disconnected. Only the RDP session while on the VPN. While on the RDP session is when i got the TCP reset attack message. Onces disconnected from TS, im still on the vpn.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I would combine your comment above with number 2 and ask if the problem machine has been scanned thoroughly for viruses and malware.

Author

Commented:
Yes, I have tried this on different machines, including out of the box dell laptops.

Author

Commented:
Also if i sit in my clients office i can remote into the TS servers and never be disconnected.
Distinguished Expert 2019

Commented:
Does the sonicwall use radius/windows AD based authentication/authorization for the VPN users?

MTU, IP of VPN connection.
Does this issue happen to every user or to some? If to some, does this issue correspond to those users being locked out for too many failed logon attempts?  If so, are those users resume an already running TS session that may have been started before the recent password change?

Are there eventlog entries reflecting failures on the security log side, or .......
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Yes, I have tried this on different machines, including out of the box dell laptops.
Also if I sit in my clients office i can remote into the TS servers and never be disconnected.


Are you saying new machines on IP (A) work differently than your machine in IP (A)?
Or, are the problem machines on IP (B)?  If the latter, then is IP (B) on a blacklist.

Author

Commented:
No if I connect by vpn I get the same ip and subnet as if I was physical on the network.

Author

Commented:
Problem only occurs when on vpn.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I should have specified External IP addresses. Are you and the problem devices on the same External IP or different IP.

I understand about the internal IP as that is how VPN works, and I understand the issue is while on VPN.

So then are you and the problem devices coming from different external IP's ?

Author

Commented:
define External IP please.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
An internal IP is a 192.168.x.x or 10.x.x.x or 172.x.x.x range inside a LAN. An external IP is an address outside the LAN.

A VPN goes:  internal to external:  internet   :external to internal.

I am looking to see if your good machine is on the same external IP as the problem machine.

Author

Commented:
Every user who has this problem comes from a different external IP address.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
So then you are seeing TCP reset attacks from other networks and you now might wish to see if these other external networks are blacklisted in some way. Something is saying to your network that these external networks are problems. I have never seen this message on a good network with a good computer.

Author

Commented:
I connect to my clients network using a domain account. I recieve an IP address from the domain DHCP, that is same ip subnet if i was sitting in the office, 192.168.xxx.xxx. I can stay on the vpn all day and have no issues. If i RDP in to the terminal server that is when i get kicked off of RDP not VPN. I used wireshark on the vpn lan that captures only internal traffic and i get the TCP reset attack.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Look at you Wirrshark packets or logs and see if you can see a pattern to the attacks. Perhaps your inside network does not like external log ins. See if you can see anything in the packets.