• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Site to Site (Isa to ISA) RDP hangs before login + other errors

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site to Site (Isa to ISA) RDP hangs before login + other errors Page: [1]
Login
Message << Older Topic   Newer Topic >>
Site to Site (Isa to ISA) RDP hangs before login + othe... - 25.Mar.2007 10:36:52 PM   
kjinde

 

Posts: 2
Joined: 11.Oct.2001
From: Guelph
Status: offline
I've seen multiple reports but no clear answers.  We have a site to site VPN using IPSEC going between 2 ISA 2004 Servers.

We actually have this setup working for 4 offices.. However our new office is not co-operating.   All the same setup has been involved, however the new office can not RDP to any machines at any of the remote sites over VPN

the Remote Desktop Connects and we get a grey or black screen and it hangs before we get the login prompt.  It's also very slow to authenticate or for active directory to do it's work.   The sites ping fine and other protocols seem to be working.

We tried adjusting MTU size on both the cisco DSL router to match a lowered ISA server MTU on external nic to no avail.

interesting thing is, if a client computer behind the new troublesome ISA does a windows PPTP VPN to a remote office, we can remote desktop no problem.  IT just doesn't want to work via the IPSEC

any ideas?

Post #: 1
RE: Site to Site (Isa to ISA) RDP hangs before login + ... - 29.Mar.2007 9:45:40 PM   
dhooper@emerge.net.au

 

Posts: 2
Joined: 11.Dec.2004
From: Kalgoorlie, Western Austrlia
Status: offline
I've had the same issue as well.

From the limited testing I was able to do, I narrowed it down to having a different MTU at each end, ie, Box A is connected via Ethernet to the internet with a default MTU of 1500 bytes, and Box B is connected via DSL with an MTU of 1492bytes, in this configuration ipsec site-to-site just wouldnt work for me. If I dropped the MTU on Box A that connects with 1500bytes to 1400bytes, it started to work.

Systems that connect with the same MTU at each end dont seem to show this problem.

(in reply to kjinde)
Post #: 2
RE: Site to Site (Isa to ISA) RDP hangs before login + ... - 4.Apr.2007 8:09:26 PM   
RedSunshine

 

Posts: 35
Joined: 14.Apr.2003
From: Dallas, TX
Status: offline
I have the exact same issue.  It's been driving me nuts for months now.  Personally, I think it is something where ICMP packets are discarded within the tunnel so PTMU Discovery is broken.

I have a site in a colo facility with a dedicated network drop.  This MTU is 1500.  In a remote office, I have a PPPoE connection so the MTU is 1492.  However, when I ping servers from one side of the tunnel to the other, the maximum MTU between the servers is 1422.  I was faced with the choice of touching every computer in the remote office and adjusting the MTU on each machine, or adjusting something on the ISA Server.  Now I didn't want to touch the one in the colo facility because it's also hosting a lot of web sites and media servers.  I need this MTU to be optimal.  So I had to do something with the remote ISA server.  I set the MTU on this server to 1422 in the NDISWAN interface.  This is the PPPoE interface.  The is a KB article on doing this for XP, it's the same for 2003.  After that it started working.  Still not happy with this since it's supposed to happen automatically.

In another site, I have a d-link DI-804HV connected to a PPPoE line and I've created an IPSec VPN to the same ISA server at the colo.  Even adjusting the MTU on the WAN interface on that device does nothing.  It's gotta be something in the ISA or Windows side at the colo that is blocking ICMP within the tunnel because I have tried everything, including creating an "Allow All" rule for all protocols on the ISA side, and still nothing.  I've verified and tested.  All routers between the remote office and the colo are not black-hole routers.  They all process ICMP messages correctly and adjust the MTU accordingly.  But once you get inside the tunnel, things break.

(in reply to dhooper@emerge.net.au)
Post #: 3
RE: Site to Site (Isa to ISA) RDP hangs before login + ... - 5.Apr.2007 12:05:16 PM   
rkapila

 

Posts: 1
Joined: 9.Jul.2004
Status: offline
I'm also having a problem re: RDP through a VPN (L2TP/IPSec) connection.  2 users can make the VPN connection but cannot RDP in (gets the black screen w/RDP tab at top, but no prompt for authentication and the pithy error "This computer can't connect to the remote computer.  The connection was lost due to a network error. Try connecting ...").  I can RDP over VPN fine from home, so I took the machine of one of the "problem" users home and tried it, worked fine for me, used his credentials even.  We use the same ISP (cablemodem).  So maybe it's their cablemodem router MTU settings (the only piece of gear different between our 2 setups).

I thought also it might be that Path MTU discovery was broken, but I've little info on this subject, and I'm loath to make changes when (1) I don't understand what's gone wrong and (2) most users are not seeing this problem.

RedSunshine: have you looked into editing the system policy rule for ICMP traffic to the ISA?  When I "Show System Policy Rules" it is Rule 10 "Allow ICMP (PING) requests from selected computers to ISA server".  Just a guess.

< Message edited by rkapila -- 5.Apr.2007 12:09:24 PM >

(in reply to RedSunshine)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site to Site (Isa to ISA) RDP hangs before login + other errors Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts