Terminal Services is dropping its connection over an ipsec tunnel. We are currently using a Watchguard V10 firewall at the remote site and a netopia 9100 router at our main office. We are using an ipsec branch to branch vpn connection. The connection is being made over a T-1 to a cable connection. The tunnel never goes down, but our terminal service connections keep dropping if they are not in use for a couple of minutes. I have checked all the terminal services settings and they are set not to disconnect. I can login to terminal services from my home using a pptp vpn over cable and it never disconnects. When pinging the remote address it drops 1 packet about every 50 pings. Is this enough to drop the terminal services connection?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Terminal Services dropping connection over ipsec tunnel
- Thread starter Dustinn3
- Start date
Hi ,
The problem can be related to MTU, maximum transmission time.Some applications send data packets of a higher size like say 1452 when it reaches the pix/router ipsec header is added to it which increases its size by around 40 bytes which makes it 1492 ,on the internet the packet has to traverse regions where the mtu size is low let us say 1000 bytes or so if that is the case the packets get dropped over there because after ipsec encapsulation the DF (Don't fragment ) bit is set and so it cannot fragment
the packet and so it drops the packets by pinging with the DF bit set and reducing the size we can determine what
is the size of the packets at which they wouldnot be dropped
setting this size on both the ends make sure that none of the sides send data higher than it.
How you can go about doing this would be to :
ping from the command prompt :
ping ip address -t -f 1400 u will get ping results to this.
Now increase the packet to 1420 see whether the packets are getting ping results , do this till u get ping responses, once it stops responding , it means that it is the maximum packet size a packet can handle.
Try lowering the mtu size on in interface of the device , u can try using DR.TCP on your machines.
Hope this helps!!
The problem can be related to MTU, maximum transmission time.Some applications send data packets of a higher size like say 1452 when it reaches the pix/router ipsec header is added to it which increases its size by around 40 bytes which makes it 1492 ,on the internet the packet has to traverse regions where the mtu size is low let us say 1000 bytes or so if that is the case the packets get dropped over there because after ipsec encapsulation the DF (Don't fragment ) bit is set and so it cannot fragment
the packet and so it drops the packets by pinging with the DF bit set and reducing the size we can determine what
is the size of the packets at which they wouldnot be dropped
setting this size on both the ends make sure that none of the sides send data higher than it.
How you can go about doing this would be to :
ping from the command prompt :
ping ip address -t -f 1400 u will get ping results to this.
Now increase the packet to 1420 see whether the packets are getting ping results , do this till u get ping responses, once it stops responding , it means that it is the maximum packet size a packet can handle.
Try lowering the mtu size on in interface of the device , u can try using DR.TCP on your machines.
Hope this helps!!
- Thread starter
- #3
- Status
Similar threads
- Locked
- Solved
- Locked
- Question