Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > RDP thru Cisco VPN client and thru 501 Failure

Reply
Thread Tools

RDP thru Cisco VPN client and thru 501 Failure

 
 
curttampa@gmail.com
Guest
Posts: n/a
 
      08-05-2008
From home, we use plain old home Netgear routers to connect up to the
net. We use our laptops and the Cisco VPN client to connect up to a
Cisco VPN Appliance in a data center and MSís RDP to connect up to our
servers. This setup works perfectly. We use a PIX 501 from our office
to connect to the net. The VPN Client connects up to the applicance
just fine. However, RDP will not connect up to our servers. We are
using a 172.16.1.x sub net within the data center. In the office, we
just a 192.168.4.x subnet. Anyone have any other ideas that might
explain this failure?

Thanks in advance. (Our Ďexpertí who setup all these is unable to
explain it)
 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      08-05-2008
On Aug 5, 4:11 pm, Artie Lange <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > From home, we use plain old home Netgear routers to connect up to the
> > net. We use our laptops and the Cisco VPN client to connect up to a
> > Cisco VPN Appliance in a data center and MSís RDP to connect up to our
> > servers. This setup works perfectly. We use a PIX 501 from our office
> > to connect to the net. The VPN Client connects up to the applicance
> > just fine. However, RDP will not connect up to our servers. We are
> > using a 172.16.1.x sub net within the data center. In the office, we
> > just a 192.168.4.x subnet. Anyone have any other ideas that might
> > explain this failure?

>
> > Thanks in advance. (Our Ďexpertí who setup all these is unable to
> > explain it)

>
> What is the DHCP pool you use for your clients?
> Do your clients receive an IP from a differnet pool depending where they
> connect from or who the user is?
> Do you have any ACL's defining RDP traffic?
> Can you browse the servers file systems?
> Do you have firewall enable on the server?



RDP packets cannot be fragmented. RDP sets the do-not-fragment bit in
its TCP packet
so do a path MTU discovery manually using ping.

Start with a ping packet length of 1500 and reduce until you have
successful ping.

ping -l 1500 -f <IP address>

Can the VPN clients ping the servers in question - i.e confirm there
are not other connectivity issues

If they can ping sucessfully then determine the largest MTU that the
client can use with no-fragment set


Adjust you NIC to use the discovered maximum path MTU size



Then set that MTU size on the VPN client and see if RDP connectivity
is possilbe
 
Reply With Quote
 
 
 
 
curttampa@gmail.com
Guest
Posts: n/a
 
      08-06-2008
On Aug 5, 4:39*pm, Merv <(E-Mail Removed)> wrote:
> On Aug 5, 4:11 pm, Artie Lange <(E-Mail Removed)> wrote:
>
>
>
>
>
> > (E-Mail Removed) wrote:
> > > From home, we use plain old home Netgear routers to connect up to the
> > > net. We use our laptops and the Cisco VPN client to connect up to a
> > > Cisco VPN Appliance in a data center and MSís RDP to connect up to our
> > > servers. This setup works perfectly. We use a PIX 501 from our office
> > > to connect to the net. The VPN Client connects up to the applicance
> > > just fine. However, RDP will not connect up to our servers. We are
> > > using a 172.16.1.x sub net within the data center. In the office, we
> > > just a 192.168.4.x subnet. Anyone have any other ideas that might
> > > explain this failure?

>
> > > Thanks in advance. (Our Ďexpertí who setup all these is unable to
> > > explain it)

>
> > What is the DHCP pool you use for your clients?
> > Do your clients receive an IP from a differnet pool depending where they
> > connect from or who the user is?
> > Do you have any ACL's defining RDP traffic?
> > Can you browse the servers file systems?
> > Do you have firewall enable on the server?

>
> RDP packets cannot be fragmented. RDP sets the do-not-fragment bit in
> its TCP packet
> so do a path MTU discovery manually using ping.
>
> Start with a ping packet length of 1500 and reduce until you have
> successful ping.
>
> ping -l 1500 -f <IP address>
>
> Can the VPN clients ping the servers in question - i.e confirm there
> are not other connectivity issues
>
> If they can ping sucessfully then determine the largest MTU that the
> client can use with no-fragment set
>
> Adjust you NIC to use the discovered maximum path MTU size
>
> Then set that MTU size on the VPN client and see if RDP connectivity
> is possilbe- Hide quoted text -
>
> - Show quoted text -


Isn't there an easier way. This seams real complicated. Maybe we
should just dump this fancy firewall that prevents us from working.
 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      08-06-2008

The Cisco VPN client comes with a program SetMTU.exe that can be used
to set the MTU size on the NIC on the PC's in question.

If you want to skip the manual path MTU exercise then just set MTO to
say 1300 temporarily on one PC to see if RDP connectivity is then
possible.

 
Reply With Quote
 
CurtTampa
Guest
Posts: n/a
 
      08-08-2008
On Aug 6, 7:35*am, Artie Lange <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > Isn't there an easier way. This seams real complicated. Maybe we
> > should just dump this fancy firewall that prevents us from working.

>
> Well if it works from one location, it most likely is not an issue with
> the firewall. The connection at youroffice, as Merv pointed out, may
> use a MTU that is different than the other location you are connecting
> from. If your idea is to dump the firewall for another solution, that is
> completely up to you, *BUT* for an hour of diagnosis time you could
> probably have an engineer look at and fix the issue.


When I do it from home, I get a packet size of 1273 is the largest
that pings ok. Remember, my RDP works all the time
When the person in the office trys to ping at a 1500 size, he gets
packet needs to be fragmented,at any size < 1273, he gets request
timed out.
Sounds like he is not getting thru the Cisco Client at all.
Next idea please?
 
Reply With Quote
 
CurtTampa
Guest
Posts: n/a
 
      08-08-2008
One more thing, here is the ROUTE PRINT Output from both machines
I Don't know if this will point out anything or not, if not, sorry to
waste your time.

================================================== =========================
Home Route PRINT (Cisco Client Connected and RDP Working)
================================================== =========================
C:\Documents and Settings\Curt>route PRINT

Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 c0 a8 86 b0 45 ...... Realtek RTL8139 Family PCI Fast
Ethernet NIC
- Deterministic Network Enhancer Miniport
0x20004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet
Scheduler
Miniport
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.69.1
192.168.69.22 20
66.71.50.254 255.255.255.255 192.168.69.1
192.168.69.22 1
127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1 1
172.16.1.0 255.255.255.0 172.16.1.182
172.16.1.182 10
172.16.1.182 255.255.255.255 127.0.0.1
127.0.0.1 10
172.16.1.240 255.255.255.255 172.16.1.182
172.16.1.182 1
172.16.1.247 255.255.255.255 172.16.1.182
172.16.1.182 1
172.16.1.249 255.255.255.255 172.16.1.182
172.16.1.182 1
172.16.255.255 255.255.255.255 172.16.1.182
172.16.1.182 10
192.168.69.0 255.255.255.0 192.168.69.22
192.168.69.22 20
192.168.69.22 255.255.255.255 127.0.0.1
127.0.0.1 20
192.168.69.255 255.255.255.255 192.168.69.22
192.168.69.22 20
224.0.0.0 240.0.0.0 172.16.1.182
172.16.1.182 10
224.0.0.0 240.0.0.0 192.168.69.22
192.168.69.22 20
255.255.255.255 255.255.255.255 172.16.1.182
172.16.1.182 1
255.255.255.255 255.255.255.255 192.168.69.22
192.168.69.22 1
Default Gateway: 192.168.69.1

Persistent Routes:

C:\Documents and Settings\Curt>

================================================== =========================
This is in the office where it FAILS
================================================== =========================

C:\Documents and Settings\Chuck>route PRINT

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 06 5b ac 67 43 ...... 3Com 3C920 Integrated Fast Ethernet
Controller (
3C905C-TX Compatible) - Packet Scheduler Miniport
0x3 ...00 0e 2e 52 91 62 ...... Realtek RTL8139 Family PCI Fast
Ethernet NIC - P
acket Scheduler Miniport
0x10005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet
Scheduler
Miniport
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.4.1
192.168.4.36 20
66.71.50.254 255.255.255.255 192.168.4.1
192.168.4.36 1
127.0.0.0 255.0.0.0 127.0.0.1
127.0.0.1 1
172.16.1.0 255.255.255.0 172.16.1.181
172.16.1.181 20
172.16.1.181 255.255.255.255 127.0.0.1
127.0.0.1 20
172.16.1.240 255.255.255.255 172.16.1.181
172.16.1.181 1
172.16.1.247 255.255.255.255 172.16.1.181
172.16.1.181 1
172.16.1.249 255.255.255.255 172.16.1.181
172.16.1.181 1
172.16.255.255 255.255.255.255 172.16.1.181
172.16.1.181 20
192.168.4.0 255.255.255.0 192.168.4.36
192.168.4.36 20
192.168.4.36 255.255.255.255 127.0.0.1
127.0.0.1 20
192.168.4.255 255.255.255.255 192.168.4.36
192.168.4.36 20
224.0.0.0 240.0.0.0 172.16.1.181
172.16.1.181 20
224.0.0.0 240.0.0.0 192.168.4.36
192.168.4.36 20
255.255.255.255 255.255.255.255 172.16.1.181
172.16.1.181 1
255.255.255.255 255.255.255.255 192.168.4.36
2 1
255.255.255.255 255.255.255.255 192.168.4.36
192.168.4.36 1
Default Gateway: 192.168.4.1
================================================== =========================
Persistent Routes:
None

C:\Documents and Settings\Chuck>
None
 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      08-09-2008

Can you please provide some clarifications

Do you have a separate PC at home and at work or it it a laptop that
you take to and from the office ?

You say your RDP works all the time - does this mean at home and at
office ?

How many PC in the office can use RDP and connect successfully ?

You have indicated that at least cannot connect using RDP in the
office - is there more than one that cannot use RDP ?

What is the device that interconnect the office 192.168.4.x subnet.to
the datacenter's 172.16.1.x subbnet
 
Reply With Quote
 
CurtTampa
Guest
Posts: n/a
 
      08-10-2008
Chuck has a Desktop in the office that fails. He has a Laptop that fails
in the office network, but if he plugs it directly into the back of the
cable modem it works perfectly.
I on the other hand do not have an office pc, I work from home and Mine
works perfectly always.

There are only two of use who attempt to use the VPN. Only 1 in the
office ever. No pc's going thru the office PIX work ever.

I have no clue what the device that interconnect the office 192.168.4.x
subnet.to the datacenter's 172.16.1.x subbnet is at all. I know our
'expert' has a 506E in his rack. He just calls it a 'Cisco VPN
Appliance' If that is critical I will attempt to contact him. That
usually takes a month of so for him to get back to us on anything where
we are not totally down.

(Know any good Cisco people in Tampa Florida?)
 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      08-10-2008
On Aug 10, 7:46 am, CurtTampa <(E-Mail Removed)> wrote:
> Chuck has a Desktop in the office that fails. He has a Laptop that fails
> in the office network, but if he plugs it directly into the back of the
> cable modem it works perfectly.
> I on the other hand do not have an office pc, I work from home and Mine
> works perfectly always.
>
> There are only two of use who attempt to use the VPN. Only 1 in the
> office ever. No pc's going thru the office PIX work ever.
>
> I have no clue what the device that interconnect the office 192.168.4.x
> subnet.to the datacenter's 172.16.1.x subbnet is at all. I know our
> 'expert' has a 506E in his rack. He just calls it a 'Cisco VPN
> Appliance' If that is critical I will attempt to contact him. That
> usually takes a month of so for him to get back to us on anything where
> we are not totally down.
>
> (Know any good Cisco people in Tampa Florida?)



So the datacenter and the office at at two different sites ?

Clearly if Chuck can connect his PC directly to the office DSL modem
and is then able to successfully use RDP to datacenter, then this
would tend to indicate that whatever the device is between Chuck's PC
and the DSL modem is the source of the problem. If it is a firewall,
then normally outbound TCP connections are automatically permitted and
the return TCP traffic is allowed thru the firewall. However the
firewall may be only permitting certain TCP ports thru and if that is
the case then RDP could certainly be impacted.

Call the Cisco sales office in Tampa and ask for the names of a couple
of good Cisco distributor in Tampa and ring them up and see if they
provide consulting service so you can get your issue resolved.

 
Reply With Quote
 
CurtTampa
Guest
Posts: n/a
 
      08-10-2008
That's the whole point of this posting and why I included the ROUTE
Print. We have been told that there are no outgoing ports blocked in
the office PIX. And since the Cisco VPN Client successfully connects
to the data center thru the PIX clearly that is not the issue. Traffic
to the remote network is apparently not being routed thru the VPN
client. I got there due to the fact that all pings to the remote
network fail no matter what the packet size is.
What is weird about this is, we replaced the PIX with a home netgear
for one day and it works just fine with no changes to any of the PCs
in the office. So it Must be the PIX somehow, even though it appears
to be a routing issue.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco ASA 5510 to Cisco PIX 506E VPN Tunnel, Dropping RDP andypatterson24 Cisco 2 04-25-2008 07:41 PM
RDP fails using Cisco VPN Client to PIX Curt Cisco 7 07-06-2007 03:49 AM
MAC OS X using Cisco VPN Client through CISCO PIX 501 InetSecurity Cisco 0 06-23-2006 01:57 AM
PIX 501 VPN client to VPN client connections Nick Cisco 2 12-14-2005 04:33 PM
Cant establish a VPN tunnel between PIX 501 and Cisco VPN Client Martin Nowles Cisco 0 11-10-2003 03:46 PM



Advertisments