Terminal Server processing numerous packets from a single external connection

Kirchtoe
Kirchtoe used Ask the Experts™
on
I have a 2012 R2 Terminal Server used for Remote Desktop connections.  We have been experiencing slow connections and cutoffs throughout a given day so I decided to investigate.

When I connect to the server and run, for example, Wireshark to see what is hitting the NIC, I see that in a 10-second capture there are maybe 800 packets coming from my public IP.

No other remote connection shows anywhere near this many packets.  This behavior doesn't seem normal.

I have attached a file showing the packet capture from Wireshark.  72.135.233.88 is my public IP.
Network-capture.docx
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Elango SathyadevSenior Systems Engineer

Commented:
From what i see it could be DNS.

Is your internet provider Spectrum Internet with organisation name "Time Warner Cable Internet LLC"

Change wireshark to all origin and destination port and post the capture again.

In Wireshark go to Edit -> Preferences -> Columns add the ports
What you see are many UDP-Based RDP packets.
do you publish RDP using UDP without SSL-Gateway to the internet?
Possible this "packet storm" is OK using RDP over UDP, but some Firewalls block this as DOS-Attack/UDP-Flood.
First i would try to run the sessions without UDP.
If you disable UDP 3389 and allow TCP3389 only at the firewall the client and server should fall back to TCP.

Would implement at least "RDP-Webgateway" from MS.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial