bunchageeks
asked on
RDP Disconnects over SonicWall Global VPN
I have several locations with sonicwall firewalls. Each location has several people working remotely, using remote desktop while connected via global vpn client. All of the locations are complaining of frequent disconnections from RDP. The VPN itself is not losing connection.
Some of the time it's due to internet speed/latency issues, but most of the time these disconnects don't make any sense to me.
One user has a sonicwall firewall at her home office with a site-to-site VPN and never had this issue. But now that her location has a dozen people connecting on remote access VPN's she is suffering the same problem with RDP.
I set up a couple of users with RDP direct through the sonicwall without the VPN, and they rarely get disconnected. When I switch them back to the VPN, they get disconnected frequently again.
I set up a few people with SSL VPN and they have the same issue.
This issue is spread out among multiple towns and different internet providers. Again, I know internet usage is a bit overutilized right now, but that doesn't seem to be the cause of this problem.
What they all have in common is that they are all connecting to SonicWall firewalls (TZ 300, TZ500, etc). I did make sure each one has enough licenses to cover the VPN's. This happens even when only a few people are connected.
Does anyone know what will fix this issue?
Some of the time it's due to internet speed/latency issues, but most of the time these disconnects don't make any sense to me.
One user has a sonicwall firewall at her home office with a site-to-site VPN and never had this issue. But now that her location has a dozen people connecting on remote access VPN's she is suffering the same problem with RDP.
I set up a couple of users with RDP direct through the sonicwall without the VPN, and they rarely get disconnected. When I switch them back to the VPN, they get disconnected frequently again.
I set up a few people with SSL VPN and they have the same issue.
This issue is spread out among multiple towns and different internet providers. Again, I know internet usage is a bit overutilized right now, but that doesn't seem to be the cause of this problem.
What they all have in common is that they are all connecting to SonicWall firewalls (TZ 300, TZ500, etc). I did make sure each one has enough licenses to cover the VPN's. This happens even when only a few people are connected.
Does anyone know what will fix this issue?
Have you tried using a different VPN client, say the native Windows one? It seems from your description of the problem that the global VPN client is having problems, perhaps due to an update. Even if it isn't compliant with organisation policy it's worth trying, if only to establish where the problem lies.
ASKER
Thanks. I'm not having any luck with the Windows 10 vpn. I get an error about security layer could not negotiate with compatible parameters. Haven't found a solution for that yet. I have shrew soft vpn as well, that I had used in the past for ipsec vpn's on windows 10 to cisco. But I'm not getting that to connect to the sonicwall, either. Do you know of any other vpn clients that work with Sonicwall ipsec?
I don't, unfortunately, but I'm surprised that the Windows client barfs with the Sonicwall IPSec. Are you using L2TP?
Consider asking employees to actually set the transfer rate at a lower speed, depending on what they need to do reduce the color bit scale from 32 to 16 as an example, speed setting at 512k
The point to lower the amount of data transmitted
Are the user's connecting to an RDS server, or to their own workstation?
Disconnect, means the session goes into the trying to reconnect counter? Are you experiencing the same thing?
Are the users attaching local resources beyond clipboard and printers?
Does the sonicwall reflects retransmission/renegotiati on of the VPN
The point to lower the amount of data transmitted
Are the user's connecting to an RDS server, or to their own workstation?
Disconnect, means the session goes into the trying to reconnect counter? Are you experiencing the same thing?
Are the users attaching local resources beyond clipboard and printers?
Does the sonicwall reflects retransmission/renegotiati
ASKER
They are connecting to their own workstations. The disconnect does go into trying to reconnect on rdp. Their vpns are not dropping, which I have verified while the rdp disconnects. They are not adding additional local resources in rdp settings. I'll have them set the lower speed settings and see if that helps.
Do you have visibility on your network consumption of resources.
Are the applications running on the workstation in the office, are high network resource consumer?
Are the applications running on the workstation in the office, are high network resource consumer?
ASKER
I'll see what I can find out on that. But this is happening at a few locations, unrelated to each other, with a variety of people/roles. What really gets me is that the user I set to use RDP without the VPN is having great success. With the VPN, same trouble.
The issue is whether the VPN resource consumption ....or utilization at the time of the issue, i.e. peeak off-peak use.
RDP within a VPN tunnel. ..firewall/cpu/resource use?
RDP within a VPN tunnel. ..firewall/cpu/resource use?
ASKER
I've checked several times during an rdp issue and resource usage on the firewall is minimal
do you secure all traffic on the VPN connection meaning all traffic including internet flows through the VPN?
try to reduce the window of the RDP session. try to adjust the WAN speed on the client to 512KB, bit size see if this persist with a lower demand on the network in terms of how much data has to flow back and forth.
how many simulteneous vpn connection does the firewall support and how many are in use?
try to reduce the window of the RDP session. try to adjust the WAN speed on the client to 512KB, bit size see if this persist with a lower demand on the network in terms of how much data has to flow back and forth.
how many simulteneous vpn connection does the firewall support and how many are in use?
ASKER
It will do 25 VPN's, 18 are in use.
ASKER
I was connected for a while this morning with a constant ping to a server. I kept this going on a second monitor while doing my regular work. A couple of times I noticed the pings timing out and checked the firewall and the global vpn client log. The firewall hit 20% on the cpu, not that high. But the log showed:
2020/04/20 14:04:56:186 Information <local host> Releasing IP address for the virtual interface (00-60-73-A8-04-DA).
2020/04/20 14:05:07:271 Information -IP removed for security- Sending phase 2 delete for 192.168.0.0/255.255.255.0.
2020/04/20 14:05:07:271 Information -IP removed for security- Sending phase 1 delete.
2020/04/20 14:05:07:752 Information -IP removed for security- Starting ISAKMP phase 1 negotiation.
2020/04/20 14:05:10:155 Information -IP removed for security- Starting aggressive mode phase 1 exchange.
2020/04/20 14:05:10:156 Information -IP removed for security- NAT Detected: Local host is behind a NAT device.
2020/04/20 14:05:10:156 Information -IP removed for security- The SA lifetime for phase 1 is 28800 seconds.
2020/04/20 14:05:10:156 Information -IP removed for security- Phase 1 has completed.
2020/04/20 14:05:10:213 Information -IP removed for security- Received XAuth request.
2020/04/20 14:05:10:214 Information -IP removed for security- Sending XAuth reply.
2020/04/20 14:05:10:243 Information -IP removed for security- Received XAuth status.
2020/04/20 14:05:10:243 Information -IP removed for security- Sending XAuth acknowledgement.
2020/04/20 14:05:10:243 Information -IP removed for security- User authentication has succeeded.
2020/04/20 14:05:10:296 Information -IP removed for security- Received request for policy version.
2020/04/20 14:05:10:296 Information -IP removed for security- Sending policy version reply.
2020/04/20 14:05:10:323 Information -IP removed for security- Received policy change is not required.
2020/04/20 14:05:10:323 Information -IP removed for security- Sending policy acknowledgement.
2020/04/20 14:05:10:323 Information -IP removed for security- The configuration for the connection is up to date.
2020/04/20 14:05:10:354 Information -IP removed for security- Starting ISAKMP phase 2 negotiation with 192.168.0.0/255.255.255.0: BOOTPC:BOO TPS:UDP.
2020/04/20 14:05:10:354 Information -IP removed for security- Starting quick mode phase 2 exchange.
2020/04/20 14:05:10:410 Information -IP removed for security- The SA lifetime for phase 2 is 28800 seconds.
2020/04/20 14:05:10:410 Information -IP removed for security- Phase 2 with 192.168.0.0/255.255.255.0: BOOTPC:BOO TPS:UDP has completed.
2020/04/20 14:05:10:446 Information <local host> Renewing IP address for the virtual interface (00-60-73-A8-04-DA).
2020/04/20 14:05:11:955 Information <local host> The virtual interface has been added to the system with IP address 192.168.0.139.
2020/04/20 14:05:11:979 Information <local host> The system ARP cache has been flushed.
2020/04/20 14:04:56:186 Information <local host> Releasing IP address for the virtual interface (00-60-73-A8-04-DA).
2020/04/20 14:05:07:271 Information -IP removed for security- Sending phase 2 delete for 192.168.0.0/255.255.255.0.
2020/04/20 14:05:07:271 Information -IP removed for security- Sending phase 1 delete.
2020/04/20 14:05:07:752 Information -IP removed for security- Starting ISAKMP phase 1 negotiation.
2020/04/20 14:05:10:155 Information -IP removed for security- Starting aggressive mode phase 1 exchange.
2020/04/20 14:05:10:156 Information -IP removed for security- NAT Detected: Local host is behind a NAT device.
2020/04/20 14:05:10:156 Information -IP removed for security- The SA lifetime for phase 1 is 28800 seconds.
2020/04/20 14:05:10:156 Information -IP removed for security- Phase 1 has completed.
2020/04/20 14:05:10:213 Information -IP removed for security- Received XAuth request.
2020/04/20 14:05:10:214 Information -IP removed for security- Sending XAuth reply.
2020/04/20 14:05:10:243 Information -IP removed for security- Received XAuth status.
2020/04/20 14:05:10:243 Information -IP removed for security- Sending XAuth acknowledgement.
2020/04/20 14:05:10:243 Information -IP removed for security- User authentication has succeeded.
2020/04/20 14:05:10:296 Information -IP removed for security- Received request for policy version.
2020/04/20 14:05:10:296 Information -IP removed for security- Sending policy version reply.
2020/04/20 14:05:10:323 Information -IP removed for security- Received policy change is not required.
2020/04/20 14:05:10:323 Information -IP removed for security- Sending policy acknowledgement.
2020/04/20 14:05:10:323 Information -IP removed for security- The configuration for the connection is up to date.
2020/04/20 14:05:10:354 Information -IP removed for security- Starting ISAKMP phase 2 negotiation with 192.168.0.0/255.255.255.0:
2020/04/20 14:05:10:354 Information -IP removed for security- Starting quick mode phase 2 exchange.
2020/04/20 14:05:10:410 Information -IP removed for security- The SA lifetime for phase 2 is 28800 seconds.
2020/04/20 14:05:10:410 Information -IP removed for security- Phase 2 with 192.168.0.0/255.255.255.0:
2020/04/20 14:05:10:446 Information <local host> Renewing IP address for the virtual interface (00-60-73-A8-04-DA).
2020/04/20 14:05:11:955 Information <local host> The virtual interface has been added to the system with IP address 192.168.0.139.
2020/04/20 14:05:11:979 Information <local host> The system ARP cache has been flushed.
ASKER
DHCP is relayed to a server on site. The IP lease time is 8 hours
check whether the POlicy for VPN connection renewal is different from the settings on the VPN side.key length and duration of session?
3600, 8 hours?
3600, 8 hours?
ASKER
Key lifetime is 28800 and session timeout is 60 minutes
not sure I've seen such a large session timeout windows not sure whether that has any baring on the issue.
Often, one would not want to have that wide of a window of the VPN remaining connected with no activity flowing through.
during VPN key you have about a 30 second window where no traffic can pass which on the RDP connection will show up as a disconnect.
Often, one would not want to have that wide of a window of the VPN remaining connected with no activity flowing through.
during VPN key you have about a 30 second window where no traffic can pass which on the RDP connection will show up as a disconnect.
ASKER
After countless troubleshooting steps, sonicwall tickets, etc I have decided to give up on this and move on. I replaced a TZ300 with a TZ600 to see if perhaps the max specs were a bit inflated by sonicwall, but it changed nothing. I've tried different versions of the vpn client, firmware, ssl vpn, etc but nothing changed. I tried any and every setting I could find but to no avail. I tried alternatives to rdp but they had the same result. Pings would also drop out so that wasn't the issue. I had a few people quit using the vpn client and gave them straight rdp through port forwarding and it worked fine. This is not a secure solution, so I put it to an end after a week.
Thank you all for your help in troubleshooting. I'll spend no more time on this.
Thank you all for your help in troubleshooting. I'll spend no more time on this.
Your issue is that your Refresh phase 1 and phase 2 is the same 28800 seconds.
Usually phase 1 is hourly, 3600 sec., while the other is 28800
Usually phase 1 is hourly, 3600 sec., while the other is 28800
2020/04/20 14:05:10:155 Information -IP removed for security- Starting aggressive mode phase 1 exchange.
2020/04/20 14:05:10:156 Information -IP removed for security- NAT Detected: Local host is behind a NAT device.
2020/04/20 14:05:10:156 Information -IP removed for security- The SA lifetime for phase 1 is 28800 seconds.
2020/04/20 14:05:10:156 Information -IP removed for security- Phase 1 has completed.
2020/04/20 14:05:10:213 Information -IP removed for security- Received XAuth request.
2020/04/20 14:05:10:214 Information -IP removed for security- Sending XAuth reply.
2020/04/20 14:05:10:243 Information -IP removed for security- Received XAuth status.
2020/04/20 14:05:10:243 Information -IP removed for security- Sending XAuth acknowledgement.
2020/04/20 14:05:10:243 Information -IP removed for security- User authentication has succeeded.
2020/04/20 14:05:10:296 Information -IP removed for security- Received request for policy version.
2020/04/20 14:05:10:296 Information -IP removed for security- Sending policy version reply.
2020/04/20 14:05:10:323 Information -IP removed for security- Received policy change is not required.
2020/04/20 14:05:10:323 Information -IP removed for security- Sending policy acknowledgement.
2020/04/20 14:05:10:323 Information -IP removed for security- The configuration for the connection is up to date.
2020/04/20 14:05:10:354 Information -IP removed for security- Starting ISAKMP phase 2 negotiation with 192.168.0.0/255.255.255.0:BOOTPC:BOOTPS:UDP.
2020/04/20 14:05:10:354 Information -IP removed for security- Starting quick mode phase 2 exchange.
2020/04/20 14:05:10:410 Information -IP removed for security- The SA lifetime for phase 2 is 28800 seconds.
ASKER
Thanks, I just changed it and will see how it goes. The VPN wizard is what set 28800. But then again, the sonicwall site to site vpn wizard also sets aggressive mode when it should be main mode.
Changing on the firewall, the policy on the client side hs to be updated to match.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.