Site to Site VPN + RDP

Discussion in 'Cisco' started by robertm@performancematerials.com, Aug 31, 2006.

  1. Guest

    Hello,

    I have a Cisco router in the US and a Symantec Router in China. I have
    established a Site to Site VPN. I can ping each network from both
    sides. The problem is that when I use Remote Desktop from the US to
    China, I am able to connect but I get a black screen, or the connection
    is very very slow. Any Suggestions?
    , Aug 31, 2006
    #1
    1. Advertising

  2. Merv Guest

    RDP is a VERY chatty prtocol so do not be surprised if it will not
    work well/at all over a VPN especailly with many hops.


    Couple of things you might try:

    1. RDP sets the do-not-fragment bit in its TCP packet
    so do a path MTU discovery manuall using ping.
    Start with a ping packet lenght of 1500 and reduce until you have
    successful ping.

    Adjust you NIC to use the discovered maximum path MTU size

    ping -l 1500 -f <IP address>


    2. On Windows increase the TCP retransmissions retries count via
    REGEDIT:

    Add a value to the TcpMaxDataRetransmissions subkey under the
    following registry key:


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
    = 10

    If the value does not exist, highlight PARAMETERS, go to Edit and
    select add value. Choose REG_ DWORD format
    Merv, Aug 31, 2006
    #2
    1. Advertising

  3. Guest

    Merv wrote:
    > RDP is a VERY chatty prtocol so do not be surprised if it will not
    > work well/at all over a VPN especailly with many hops.

    Hmmm.

    I don't think that it is chatty! Maybe compared to telnet but you are
    getting
    more bang.

    > Couple of things you might try:
    >
    > 1. RDP sets the do-not-fragment bit in its TCP packet
    > so do a path MTU discovery manuall using ping.
    > Start with a ping packet lenght of 1500 and reduce until you have
    > successful ping.


    This is true, I checked with ethereal. Beyond belief. !!!

    >
    > Adjust you NIC to use the discovered maximum path MTU size
    >
    > ping -l 1500 -f <IP address>
    >
    >
    > 2. On Windows increase the TCP retransmissions retries count via
    > REGEDIT:
    >
    > Add a value to the TcpMaxDataRetransmissions subkey under the
    > following registry key:
    >
    >
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
    > = 10
    >
    > If the value does not exist, highlight PARAMETERS, go to Edit and
    > select add value. Choose REG_ DWORD format


    OK.

    If you find that you are getting MTU issue than I would drop the MTU on
    one end
    (at least) to an appropriate value. Fixing one is sufficient.
    e.g. 1300.

    Alternatively if you have a cisco router in the path you could apply
    the "ip tcp mss-adjust 1300" [from memory] (or whatever value
    you need) command to an interface on the path, Note that
    the length in ping commands is often the ICMP data length
    and not the MTU or the TCP mss.

    Don't worry if you are 50 or 100 bytes below the true min, the extra
    overhead is negligable.
    Get it working and go and relax.


    I think that the absolute most important thing after MTU is to make
    sure that you are
    doing selective ack. This is the default in XP.
    http://support.microsoft.com/kb/q224829/

    Tune up the RDP parameters. Choose a smaller screen size if necessary.
    Use as few coulours as you can.
    Turn off Desktop background, Show contents while dragging, Menu
    animation, Themes.
    Turn on bitmap caching.

    Also if you are having to wait on the initial splash screeen look
    into:-

    Remote Desktop RDP mstsc splash screen slow links

    http://www.winguides.com/registry/display.php/103/
    Change the Logon Screen Wallpaper (All Windows) Popular
    When you setup a background wallpaper for your desktop,
    the initial logon screen wallpaper is not changed and
    stays as the default Windows appearance. This tweak allows
    you to change the default wallpaper 'c:\windows\mylogo.bmp'

    Registry Settings
    System Key: [HKEY_USERS\.DEFAULT\Control Panel\Desktop]
    Value Name: Wallpaper, TitleWallpaper
    Data Type: REG_SZ (String Value)

    Wallpaper "A filename" Without quotes
    Pattern "(None)" Without quotes
    TileWallpaper 0 = don't
    Old PC Wallpaper was - C:\Windows\cpq800h.bmp

    NO REBOOT NEEDED has immediate effect.

    I do feel that Merv has on this occasion been more negative that I am
    about RDP. We have people using it from Hong Kong to London over a VPN.

    I think that, aside from the MTU thing, the VPN makes no difference.

    One thing to do is to make sure that RDP is OK on the target machine.
    Get someone local to try it out.

    There is a nice cisco doc on MTU. I will have a look for it tomorrow.
    I think if you search for MTU GRE IPSEC you should get it.

    Finally my bet is on Merv being right about the MTU.
    , Sep 1, 2006
    #3
  4. Hansang Bae Guest

    Merv wrote:
    > RDP is a VERY chatty prtocol so do not be surprised if it will not
    > work well/at all over a VPN especailly with many hops.


    It has to be chatty since it's moving mouse/key movements around. I
    don't know that you can change that since it's the nature of the
    application.

    >
    >
    > Couple of things you might try:
    >
    > 1. RDP sets the do-not-fragment bit in its TCP packet
    > so do a path MTU discovery manuall using ping.
    > Start with a ping packet lenght of 1500 and reduce until you have
    > successful ping.

    [snip]

    You mean it does *not* set the DF bit? If you set the DF bit, that's
    how you do PMTU-D so I think I'm missing something here.


    >
    > Adjust you NIC to use the discovered maximum path MTU size
    > ping -l 1500 -f <IP address>


    1472 should be the first starting point. 20 bytes for IP header, 8
    bytes for ICMP. So you have 1472 left over.


    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, Sep 1, 2006
    #4
  5. Merv Guest


    > > 1. RDP sets the do-not-fragment bit in its TCP packet


    RDP does not allow it's packets to be fragmented, so you most ensure
    MTU sent does not exceed path MTU.
    Merv, Sep 1, 2006
    #5
  6. RobMarsh Guest

    My thanks to everyone who is providing me with help, I tried all of the
    above mentioned, but nothing works. I have also tried browsing to the
    servers share: \\server-over-vpn\share
    but that times out and I can't access that either. Could the two
    problems be related?


    Merv wrote:
    > > > 1. RDP sets the do-not-fragment bit in its TCP packet

    >
    > RDP does not allow it's packets to be fragmented, so you most ensure
    > MTU sent does not exceed path MTU.
    RobMarsh, Sep 1, 2006
    #6
  7. Merv Guest

    What happens for ping with large packet size ( ie. max MTU and lartge
    number of packets ( 1000 or more.

    What is the latency tiem like ?
    Merv, Sep 1, 2006
    #7
  8. RobMarsh Guest

    ping -l 1500 172.16.64.5

    Pinging 172.16.64.5 with 1500 bytes of data:

    Reply from 172.16.64.5: bytes=1500 time=295ms TTL=127
    Reply from 172.16.64.5: bytes=1500 time=294ms TTL=127
    Reply from 172.16.64.5: bytes=1500 time=290ms TTL=127

    if I try this:

    ping -f -l 1500 172.16.64.5

    I can't get a good ping. so I tried reducing the mtu but when I did
    that web browsing became so slow that it was a problem.


    Merv wrote:
    > What happens for ping with large packet size ( ie. max MTU and lartge
    > number of packets ( 1000 or more.
    >
    > What is the latency tiem like ?
    RobMarsh, Sep 5, 2006
    #8
  9. Merv Guest

    Reply from 172.16.64.5: bytes=1500 time=295ms TTL=127

    ouch !!!

    > ping -f -l 1500 172.16.64.5


    with the -f flag set what is the largest MTU size for which you get a
    ping response ?

    does ping -f -l 1472 172.16.64.5 give you a ping response ?
    Merv, Sep 6, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Curt
    Replies:
    7
    Views:
    651
    notaccie
    Jul 6, 2007
  2. Curt
    Replies:
    0
    Views:
    431
  3. pasatealinux
    Replies:
    1
    Views:
    2,004
    pasatealinux
    Dec 17, 2007
  4. KDawg44

    RDP over VPN

    KDawg44, Feb 7, 2008, in forum: Cisco
    Replies:
    2
    Views:
    534
    mcaissie
    Feb 7, 2008
  5. Kate

    RDP through VPN printing problems

    Kate, Feb 22, 2008, in forum: Windows 64bit
    Replies:
    1
    Views:
    460
    Charlie Russel - MVP
    Feb 23, 2008
Loading...

Share This Page