- Cisco Community
- Technology and Support
- Security
- Network Security
- ASA RDP sessions disconnect
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA RDP sessions disconnect
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2015 07:04 AM - edited 03-11-2019 11:37 PM
Hi firends. I use ASA 5520 as firewall. Remote clients connect to local terminal servers with RDP. But RDP disconnect from unknown reason. I can insert my ASA configuration. I can not find reason. If possible, help me.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2015 07:16 AM
Hi,
To find if the issue is with the ASA or with the RDP client we can do following tests:
>> Check any syslog on the ASA for the RDP session.
>> If the issue can be reproduced then you can run wireshark on the end client and check if there is any reset or fin seen from the RDP side or RDP client side.
>> Also you can capture traffic on ASA but the capture buffer may get full if there is too much traffic before seeing the actual issue.
You can share the details of the RDP client and server and also the ASA config.
Thanks,
R.Seth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2015 09:39 AM
Does not matter which rdp. Sometimes 1 or 2 sessions, sometimes all sessions disconnect.Configuration on ASA is only port forwarding for RDP. Simle access list (In interface outside) and NAT for portforwarding. I will try to check syslog with kiwi syslog server. I have configured informational level syslog. Have you other way to resolve this problem?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2015 09:58 AM
Hi,
First you will need to narrow down the issue and find the cause for it. Steps suggested earlier will help in figuring the cause for the issue.
Share your findings so that we can help you.
Thanks,
R.Seth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-21-2015 01:31 AM
I sent configuration. if possible, check it please.
I have deletet some object groups, access-lists and Nat.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-21-2015 01:35 AM
: Saved
: Written by enable_15 at 12:59:50.234 UTC Mon Sep 21 2015
!
ASA Version 9.0(2)
!
hostname CiscoASA01
enable password o4SoEDT3AgY1sw/v encrypted
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool esypay 192.x.x.x-192.x.x.x mask 255.255.255.0
ip local pool Vpn_pool 172.x.x.x-172.x.x.255 mask 255.255.255.0
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.30
vlan 30
nameif INSIDE
security-level 100
ip address 172.x.x.x 255.255.255.0 standby 172..x.x.x
!
interface GigabitEthernet0/0.40
vlan 40
nameif DMZ
security-level 50
ip address 172.x.x.x.255.255.255.0 standby 172.x.x.x.x
!
interface GigabitEthernet0/0.50
vlan 50
nameif DMZ2
security-level 70
ip address 192.x.x.x 255.255.255.0 standby 192.x.x.x
!
interface GigabitEthernet0/0.80
vlan 80
nameif OUTSIDE
security-level 0
ip address 94..x.x.x 255.255.255.240 standby 94.x.x.x
!
interface GigabitEthernet0/1
description LAN Failover Interface
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.x.x.x 255.255.255.0
!
boot system disk0:/asa902-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
object network Obj_new_citrix_01
host 192.x.x.x
object network Obj_Citrix_New_02
host 192.x.x.x
network-object object NesimiQBM
network-object object Akkord
object-group service CIS tcp
port-object range 8000 8001
object-group service DM_INLINE_TCP_9 tcp
port-object eq 1433
port-object eq sqlnet
group-object CIS
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group network OmicronGloobalIPs
network-object object Omicron1
network-object object Omicron3
network-object object Omicron
network-object object Omicron22
network-object object Omicron4
network-object object Omicron5
network-object object Omicron7
object-group service DM_INLINE_TCP_1 tcp
group-object CIS
port-object eq www
object-group network DM_INLINE_NETWORK_20
network-object object GIS_DB
network-object object GISApp
object-group network AdminGRoup
network-object object Emil.M
network-object object Firuz.S
network-object object obj_Mehman
network-object object Hikmet
object-group network CisAccess
network-object object NNGROUPMMC
object-group service VPNClientAccess
service-object tcp destination eq 10000
service-object tcp destination eq pptp
service-object udp destination eq 10000
service-object udp destination eq 1701
service-object udp destination eq 4500
service-object udp destination eq 50
service-object udp destination eq isakmp
access-list DENY-PERMIT extended permit ip object WebServisMon any
access-list DENY-PERMIT extended permit tcp object nar1-nat any eq 37777
access-list DENY-PERMIT extended permit ip object-group Rehberlik any
access-list DENY-PERMIT extended permit ip object-group AdminGRoup any
access-list DENY-PERMIT extended permit ip object-group Helpdesk any
access-list DENY-PERMIT extended permit ip object-group DM_INLINE_NETWORK_19
pager lines 24
logging enable
logging timestamp
logging list My_LIST level notifications class ha
logging list My_LIST level notifications class vpn
logging trap notifications
logging asdm informational
logging device-id ipaddress INSIDE
logging host INSIDE 172.x.x.x 17/1514
logging host INSIDE 172.x.x.x
flow-export destination INSIDE 172.x.x.x 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu INSIDE 1500
mtu DMZ 1500
mtu OUTSIDE 1500
mtu management 1500
mtu DMZ2 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/1
failover replication http
failover interface ip FAILOVER 10.x.x.x 255.255.255.252 standby 10.x.x.x
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp INSIDE 172.x.x.x c0cb.382d.f692
arp timeout 14400
no arp permit-nonconnected
object network CITRIX_1
nat (INSIDE,OUTSIDE) static 94.x.x.x service tcp www 85
object network CITRIX_2
nat (INSIDE,OUTSIDE) static 94.x.x.x service tcp www 86
object network CITRIX_2-01
access-group any-to-any in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 94.x.x.x 1
route INSIDE 10.10.x.x 255.255.255.0 172.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record DfltAccessPolicy\par
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 172.x.x.x 255.255.255.255 INSIDE
snmp-server host INSIDE 172.x.x.x community Azersu
no snmp-server location
no snmp-server contact
snmp-server community ******
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp INSIDE
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set PayPoint esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap_1
crypto map OUTSIDE_map 1 set peer 46.32.171.70
crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 3600
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable INSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 28800
crypto ikev1 policy 3
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 6
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
ssh 172.x.x.x 255.255.255.255 INSIDE
ssh 172.x.x.x 255.255.255.255 INSIDE
ssh timeout 20
ssh version 2
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.x.x.x
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
username AzerB password .24Nw13kRDbmnxY7 encrypted
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key **********
class-map global-class
match any
class-map inspection_default\par
class-map tcp
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect dns preset_dns_map
policy-map global-policy
description Global
class global-class
flow-export event-type all destination 172.x.x.x
inspect icmp
policy-map global_policy\par
class inspection_default\par
policy-map type inspect dns preset_dns_map\par
parameters
!
service-policy global-policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 5 mode exec command dir
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8b8f1dd79d0c8968316e72ba8f7e421e
: end
And show interfaces
Interface GigabitEthernet0/0 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Available but not configured via nameif
MAC address 70ca.9b85.06ce, MTU not set
IP address unassigned
52798290526 packets input, 29314107279901 bytes, 0 no buffer
Received 185699424 broadcasts, 0 runts, 0 giants
307558 input errors, 0 CRC, 0 frame, 307558 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
4374663 L2 decode drops
56311248717 packets output, 30866198854035 bytes, 50494 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 6 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (255/0)
Interface GigabitEthernet0/0.30 "INSIDE", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 30
MAC address 70ca.9b85.06ce, MTU 1500
IP address 172.16.1.20, subnet mask 255.255.255.0
Traffic Statistics for "INSIDE":
28012285438 packets input, 9861392564348 bytes
35652123966 packets output, 19963526232331 bytes
5580668574 packets dropped
Interface GigabitEthernet0/0.40 "DMZ", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 40
MAC address 70ca.9b85.06ce, MTU 1500
IP address 172.16.40.20, subnet mask 255.255.255.0
Traffic Statistics for "DMZ":
385730558 packets input, 425746227546 bytes
197567082 packets output, 105807194985 bytes
19321356 packets dropped
Interface GigabitEthernet0/0.50 "DMZ2", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 50
MAC address 70ca.9b85.06ce, MTU 1500
IP address 192.168.50.20, subnet mask 255.255.255.0
Traffic Statistics for "DMZ2":
664852828 packets input, 724465762512 bytes
320114591 packets output, 46158408531 bytes
15031878 packets dropped
Interface GigabitEthernet0/0.80 "OUTSIDE", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 80
MAC address 70ca.9b85.06ce, MTU 1500
IP address 94.20.157.22, subnet mask 255.255.255.240
Traffic Statistics for "OUTSIDE":
23553489485 packets input, 16878147408865 bytes
20003658492 packets output, 9455592589431 bytes
179956037 packets dropped
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2015 08:16 PM
HHeydarov,
Did you ever find a fix? I seem to be having the same problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
