RDP thru Cisco VPN client and thru 501 Failure

What is the DHCP pool you use for your clients? Do your clients receive an IP from a differnet pool depending where they connect from or who the user is? Do you have any ACL's defining RDP traffic? Can you browse the servers file systems? Do you have firewall enable on the server?

RDP packets cannot be fragmented. RDP sets the do-not-fragment bit in its TCP packet so do a path MTU discovery manually using ping.

Start with a ping packet length of 1500 and reduce until you have successful ping.

ping -l 1500 -f

Can the VPN clients ping the servers in question - i.e confirm there are not other connectivity issues

If they can ping sucessfully then determine the largest MTU that the client can use with no-fragment set

Adjust you NIC to use the discovered maximum path MTU size

Then set that MTU size on the VPN client and see if RDP connectivity is possilbe

Isn't there an easier way. This seams real complicated. Maybe we should just dump this fancy firewall that prevents us from working.

Well if it works from one location, it most likely is not an issue with the firewall. The connection at your office, as Merv pointed out, may use a MTU that is different than the other location you are connecting from. If your idea is to dump the firewall for another solution, that is completely up to you, *BUT* for an hour of diagnosis time you could probably have an engineer look at and fix the issue.

The Cisco VPN client comes with a program SetMTU.exe that can be used to set the MTU size on the NIC on the PC's in question.

If you want to skip the manual path MTU exercise then just set MTO to say 1300 temporarily on one PC to see if RDP connectivity is then possible.

When I do it from home, I get a packet size of 1273 is the largest that pings ok. Remember, my RDP works all the time When the person in the office trys to ping at a 1500 size, he gets packet needs to be fragmented,at any size < 1273, he gets request timed out. Sounds like he is not getting thru the Cisco Client at all. Next idea please?

One more thing, here is the ROUTE PRINT Output from both machines I Don't know if this will point out anything or not, if not, sorry to waste your time.

=========================================================================== Home Route PRINT (Cisco Client Connected and RDP Working) =========================================================================== C:\\Documents and Settings\\Curt>route PRINT

Interface List

0x1 ........................... MS TCP Loopback interface 0x10003 ...00 c0 a8 86 b0 45 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Deterministic Network Enhancer Miniport 0x20004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.69.1 192.168.69.22 20 66.71.50.254 255.255.255.255 192.168.69.1 192.168.69.22 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.16.1.0 255.255.255.0 172.16.1.182 172.16.1.182 10 172.16.1.182 255.255.255.255 127.0.0.1 127.0.0.1 10 172.16.1.240 255.255.255.255 172.16.1.182 172.16.1.182 1 172.16.1.247 255.255.255.255 172.16.1.182 172.16.1.182 1 172.16.1.249 255.255.255.255 172.16.1.182 172.16.1.182 1 172.16.255.255 255.255.255.255 172.16.1.182 172.16.1.182 10 192.168.69.0 255.255.255.0 192.168.69.22 192.168.69.22 20 192.168.69.22 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.69.255 255.255.255.255 192.168.69.22 192.168.69.22 20 224.0.0.0 240.0.0.0 172.16.1.182 172.16.1.182 10 224.0.0.0 240.0.0.0 192.168.69.22 192.168.69.22 20 255.255.255.255 255.255.255.255 172.16.1.182 172.16.1.182 1 255.255.255.255 255.255.255.255 192.168.69.22 192.168.69.22 1 Default Gateway: 192.168.69.1

Persistent Routes:

C:\\Documents and Settings\\Curt>

=========================================================================== This is in the office where it FAILS ===========================================================================

C:\\Documents and Settings\\Chuck>route PRINT

Interface List

0x1 ........................... MS TCP Loopback interface 0x2 ...00 06 5b ac 67 43 ...... 3Com 3C920 Integrated Fast Ethernet Controller ( 3C905C-TX Compatible) - Packet Scheduler Miniport 0x3 ...00 0e 2e 52 91 62 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - P acket Scheduler Miniport 0x10005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.4.1 192.168.4.36 20 66.71.50.254 255.255.255.255 192.168.4.1 192.168.4.36 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.16.1.0 255.255.255.0 172.16.1.181 172.16.1.181 20 172.16.1.181 255.255.255.255 127.0.0.1 127.0.0.1 20 172.16.1.240 255.255.255.255 172.16.1.181 172.16.1.181 1 172.16.1.247 255.255.255.255 172.16.1.181 172.16.1.181 1 172.16.1.249 255.255.255.255 172.16.1.181 172.16.1.181 1 172.16.255.255 255.255.255.255 172.16.1.181 172.16.1.181 20 192.168.4.0 255.255.255.0 192.168.4.36 192.168.4.36 20 192.168.4.36 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.4.255 255.255.255.255 192.168.4.36 192.168.4.36 20 224.0.0.0 240.0.0.0 172.16.1.181 172.16.1.181 20 224.0.0.0 240.0.0.0 192.168.4.36 192.168.4.36 20 255.255.255.255 255.255.255.255 172.16.1.181 172.16.1.181 1 255.255.255.255 255.255.255.255 192.168.4.36 2 1 255.255.255.255 255.255.255.255 192.168.4.36 192.168.4.36 1 Default Gateway: 192.168.4.1 =========================================================================== Persistent Routes: None

C:\\Documents and Settings\\Chuck>

None

Can you please provide some clarifications

Do you have a separate PC at home and at work or it it a laptop that you take to and from the office ?

You say your RDP works all the time - does this mean at home and at office ?

How many PC in the office can use RDP and connect successfully ?

You have indicated that at least cannot connect using RDP in the office - is there more than one that cannot use RDP ?

What is the device that interconnect the office 192.168.4.x subnet.to the datacenter's 172.16.1.x subbnet

Chuck has a Desktop in the office that fails. He has a Laptop that fails in the office network, but if he plugs it directly into the back of the cable modem it works perfectly. I on the other hand do not have an office pc, I work from home and Mine works perfectly always.

There are only two of use who attempt to use the VPN. Only 1 in the office ever. No pc's going thru the office PIX work ever.

I have no clue what the device that interconnect the office 192.168.4.x subnet.to the datacenter's 172.16.1.x subbnet is at all. I know our 'expert' has a 506E in his rack. He just calls it a 'Cisco VPN Appliance' If that is critical I will attempt to contact him. That usually takes a month of so for him to get back to us on anything where we are not totally down.

(Know any good Cisco people in Tampa Florida?)

So the datacenter and the office at at two different sites ?

Clearly if Chuck can connect his PC directly to the office DSL modem and is then able to successfully use RDP to datacenter, then this would tend to indicate that whatever the device is between Chuck's PC and the DSL modem is the source of the problem. If it is a firewall, then normally outbound TCP connections are automatically permitted and the return TCP traffic is allowed thru the firewall. However the firewall may be only permitting certain TCP ports thru and if that is the case then RDP could certainly be impacted.

Call the Cisco sales office in Tampa and ask for the names of a couple of good Cisco distributor in Tampa and ring them up and see if they provide consulting service so you can get your issue resolved.

That's the whole point of this posting and why I included the ROUTE Print. We have been told that there are no outgoing ports blocked in the office PIX. And since the Cisco VPN Client successfully connects to the data center thru the PIX clearly that is not the issue. Traffic to the remote network is apparently not being routed thru the VPN client. I got there due to the fact that all pings to the remote network fail no matter what the packet size is. What is weird about this is, we replaced the PIX with a home netgear for one day and it works just fine with no changes to any of the PCs in the office. So it Must be the PIX somehow, even though it appears to be a routing issue.

A wild stab would be that NAT traversal is not configured on the PIX and is required for client VPN pass-thru

The NetGear will do that automatically

OBTW if Chuck's PC is always at the office, then the office PIX could been configured to establish a site-to-site VPN (IPSEC tunnel) to the datacenter PIX and then he would not need the Cisco VPN client to access the datacenter.

Correct, but our 'cisco' dude wants to charge us extra for an 'always on' connection.

Do you own the Cisco 501 and the Cisco 506E and the datacenter

Do you own the server at the datacenter

We own our servers, We rent the 1/2 rack they sit in. I Only speculated that our connection is thru his 506E, I am not sure of that. We are patch cable linked to his rack because he still handles our backups. Due to the fact we are linked, he insists (with good reason) that we come thru his VPN connection so he can limit our connection to our machines. I understand his security concerns for the protection of his other customers. Once we can afford a rack mount NAS, we will be breaking that link. Once we do and I understand we can do a connection using the standard M$ connection (not requiring Cisco client) to our 501. When that is complete we should no longer have an issue.

So sounds like you have plans to deal with several of the technical and business issue and your "Cisco guy" long term.

Do you have access to the office PIX 501 and can you post the PIX 501 config - sanitized of course - no passwords and no external IP addresses.

There are several very good PIX wizards on this newsgroup and hopefully they would respond if they see issues with your office PIX

501 config.

1st: you are correct. Our Cisco/Network dude have got to go, all we need is enough money to get rid of him and a replacement we can trust. 2nd: I will try. I'm not sure that Chuck or I actually know the password to get into the office 501. I will have to do some reading on this as I have heard the password is not required if you have the Serial cable (which we do). So I will investigate getting that config. Thanks for all your assistance.

Did you abandon me?