RDP over IPSec fails

03-16-2008, 08:00 PM

I have a weird problem and I can't seem to figure out what's going on.

I have two customers. For one of them, I have configured an IPSec tunnel between an ISA Server and a Cisco 877. For the other one, I have configured an IPSec tunnel between two Cisco 877 routers.

At customer one, I can start an RDP session from the Cisco site to the ISA site, but fails from the ISA site to the Cisco site.

At customer two, RDP fails in both directions.

I have done a capture of the traffic between the sites. What I noticed is that when I try to establish the RDP connection, the client computer sends a SYN, ACK, the server receives this packet and responds with an ACK, but the ACK never reaches the other side of the tunnel.

I have searched the internet for clues, but most articles and forum posts I have found suggest MTU/packet size/fragmentation problems. The reason I don't think my problem has anything to do with those, is that the size of the beforementioned ACK packet is only about 64 bytes.

I have tried to figure out what the Cisco router does with the packet, but I don't really know which debug commands to use. (I tried debug ip packet <# of acl> and debug crypto ipsec, but they don't provide useful information.) Can anyone recommend debug commands that may provide clues as to what might go wrong?

If anyone has any ideas or suggestions, I'd be very happy to hear them.

rsscp1

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
ipsec vpn pix506 cant see internal network	lokojones	Hardware	1	06-29-2009 03:44 PM
Cisco Firewall - IPSEC Pass-through	kvlind	Hardware	0	12-19-2008 05:24 AM
Cisco 2621 xm router has high cpu usage	Seby	Hardware	1	01-16-2008 05:31 AM
NEED INFO ON IPSec between PIX515 devices.	bhumikpatel	Hardware	1	12-16-2007 02:59 PM
PIX and Windows 2003 - NAT and IPSEC on the same interface	milosh	Hardware	0	05-22-2007 11:42 AM

03-16-2008, 08:00 PM	#1
	RDP over IPSec fails I have a weird problem and I can't seem to figure out what's going on. I have two customers. For one of them, I have configured an IPSec tunnel between an ISA Server and a Cisco 877. For the other one, I have configured an IPSec tunnel between two Cisco 877 routers. At customer one, I can start an RDP session from the Cisco site to the ISA site, but fails from the ISA site to the Cisco site. At customer two, RDP fails in both directions. I have done a capture of the traffic between the sites. What I noticed is that when I try to establish the RDP connection, the client computer sends a SYN, ACK, the server receives this packet and responds with an ACK, but the ACK never reaches the other side of the tunnel. I have searched the internet for clues, but most articles and forum posts I have found suggest MTU/packet size/fragmentation problems. The reason I don't think my problem has anything to do with those, is that the size of the beforementioned ACK packet is only about 64 bytes. I have tried to figure out what the Cisco router does with the packet, but I don't really know which debug commands to use. (I tried debug ip packet <# of acl> and debug crypto ipsec, but they don't provide useful information.) Can anyone recommend debug commands that may provide clues as to what might go wrong? If anyone has any ideas or suggestions, I'd be very happy to hear them. rsscp1