cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1438
Views
0
Helpful
11
Replies

rdp into a sitetosite vpn machine

csco10865546
Level 1
Level 1

Hi everyone,

I have a site to site connection from my office that is extablished already.

i can ping and connect via other ports i opened for access but cant connect via rdp to same machine i can ping.

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

Could be an MSS issue, what is the device that terminate the VPN tunnel?

If it's a router, you can configure "ip tcp adjust-mss 1300" on the LAN interface.

If it's an ASA firewall, you can configure "sysopt connection tcpmss 1300"

Hope that helps.

csco10865546
Level 1
Level 1

eb 21 10:52:22 10.120.0.2 :%ASA-session-2-106001: Inbound TCP connection denied from 10.120.3.31/59544 to 192.168.34.6/3389 flags SYN  on interface LAN_Local

I get the error above from my inside interface when i try to connect via rdp and i have opened up the access list and still cant get it to work.

I also captured the packets on the firewall to see if anyone can help[ me interprete better and tell me what can be wrong

Urgent reply will be appreciated.

Regards

Kolade

Can you please share the full access-list that is applied to the inside interface?

Hi jennifer,

tried the mss command on the inside inetrface since it is an ASA firewall but it doesnt still work.

below is the access-list on the inetrface

access-list LAN_Local_access_in extended permit ip any host 10.1.163.2

access-list LAN_Local_access_in extended permit ip any host 10.1.16.1

access-list LAN_Local_access_in extended deny ip any MEL-LAN 255.255.0.0

access-list LAN_Local_access_in extended permit ip any host 10.120.1.110

access-list LAN_Local_access_in extended permit ip host 10.120.1.110 any

access-list LAN_Local_access_in extended permit ip host 10.120.128.11 any

access-list LAN_Local_access_in extended permit ip any any

access-list LAN_Local_access_out extended permit ip host 10.1.16.1 any

access-list LAN_Local_access_out extended permit ip any any

access-list LAN_Local_access_out extended deny ip MEL-LAN 255.255.0.0 any

access-list LAN_Local_access_out extended deny ip any MEL-LAN 255.255.0.0

Not sure why it's denied from the interface.

Sorry, but I would need to have a look at the full configuration as it doesn't make sense.

BTW, if we are still seeing the Deny TCP SYN error log as you attempt to RDP, then the issue is not MSS, so you can ignore my first post.

Attached is the ASA config.

Does my packet capture makes any sense or of any use ?

Thanks for your help

You removed the names section in your config, so its hard to tell what is happening, but I suspect a problem with the vpnfilter config. Does it work if you remove the vpn-filter from your group-policy?

group-policy attributes
no vpn-filter value VPN-ELXSI-Partner

-heather

Hiya,

Do you mean the object gorups ?

Here are they.....

object-group network STV-LANs

network-object 10.120.0.0 255.255.0.0

network-object 89.0.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_1

network-object 10.120.0.0 255.255.0.0

network-object 89.0.0.0 255.255.0.0

object-group service VNC-TCP tcp

port-object eq 5500

port-object eq 5800

port-object eq 5900

object-group service Proxy tcp

port-object eq 8080

object-group service ProxyInternet tcp

port-object eq 8080

object-group service ActiveDirectory tcp-udp

port-object eq 1025

port-object eq 1026

port-object eq 135

port-object eq 137

port-object eq 138

port-object eq 139

port-object eq 389

port-object eq 445

port-object eq 88

port-object eq domain

port-object eq 3389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service RDP tcp

port-object eq 3389

object-group service DM_INLINE_TCP_1 tcp

group-object ActiveDirectory

group-object VNC-TCP

object-group service DM_INLINE_TCP_3 tcp

group-object ActiveDirectory

group-object VNC-TCP

object-group service DM_INLINE_TCP_4 tcp

group-object ActiveDirectory

group-object VNC-TCP

object-group network Clearcase_Servers

network-object host STV-Clearcase

network-object host UKCC03

network-object host UKCC01

object-group service DM_INLINE_TCP_5 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_6 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_7 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_8 tcp

port-object eq www

port-object eq https

object-group icmp-type svc_ICMP_types_allowed

description Security - ICMP types allowed in this network

icmp-object echo

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo-reply

group-object svc_ICMP_types_allowed

object-group icmp-type DM_INLINE_ICMP_2

icmp-object echo-reply

group-object svc_ICMP_types_allowed

object-group network STV_FLANS

description Stevenage Firewalled LANs

I have tried the no vpn-elxsi-partner and used   the default group policy that works for other vpn but still same issue.

Thanks

You did this on the ARXX-EMEA-ELXSI policy right? You should disable the tunnel while you make the change to the filter and then bring it back up.

group-policy ARXX-EMEA-ELXSI attributes
no vpn-filter value VPN-ELXSI-Partner

The object groups you pasted have no information about the following names/objects that are used in your crypto map and your vpn filter:

ELXSI_LAN

UKCQ01

-heather

I cant disable the tunnel till later at night as it is up and people are working on it.

I will try this later at night and let u know ,thanks.

The ELXSI_LAN is the 192.168.34.0/24 where one of the hosts i am trying to rdp into resides.

The UKCQ01 is a server in my own lan subnet 10.120.x.x/16 .

I have tried applying the default group policy to it and it works well.

So i guess it is a problem with my access-list for the vpn-elxsi-partner,i still can not figure it out though.

Can you help me take a look at this,these are the access-lists applied to the session

he following ACL is being applied to this session:

access-list VPN-ELXSI-Partner; 13 elements; name hash: 0x6524c6f6

access-list VPN-ELXSI-Partner line 1 extended permit ip 10.120.171.0 255.255.255.0 ELXSI_LAN 255.255.255.0 (hitcnt=0) 0x057ce01e

access-list VPN-ELXSI-Partner line 2 extended permit ip ELXSI_LAN 255.255.255.0 10.120.171.0 255.255.255.0 (hitcnt=666) 0x8478b28d

access-list VPN-ELXSI-Partner line 3 extended permit tcp ELXSI_LAN 255.255.255.0 host UKCQ01 object-group DM_INLINE_TCP_8 0xd0c33280

  access-list VPN-ELXSI-Partner line 3 extended permit tcp ELXSI_LAN 255.255.255.0 host UKCQ01 eq www (hitcnt=0) 0x9da27d12

  access-list VPN-ELXSI-Partner line 3 extended permit tcp ELXSI_LAN 255.255.255.0 host UKCQ01 eq https (hitcnt=0) 0xffd80f08

access-list VPN-ELXSI-Partner line 4 extended permit tcp any any object-group RDP 0xcef694ab

  access-list VPN-ELXSI-Partner line 4 extended permit tcp any any eq 3389 (hitcnt=1) 0xb2040fa1

access-list VPN-ELXSI-Partner line 5 extended permit icmp any any object-group svc_ICMP_types_allowed 0x7f6fdf17

  access-list VPN-ELXSI-Partner line 5 extended permit icmp any any echo (hitcnt=2079) 0xd434ef06

  access-list VPN-ELXSI-Partner line 5 extended permit icmp any any echo-reply (hitcnt=1166) 0x7329f9ab

  access-list VPN-ELXSI-Partner line 5 extended permit icmp any any time-exceeded (hitcnt=0) 0x0af27727

  access-list VPN-ELXSI-Partner line 5 extended permit icmp any any unreachable (hitcnt=0) 0xec5ac766

access-list VPN-ELXSI-Partner line 6 extended permit tcp host 192.168.34.6 host STV-FTP object-group DM_INLINE_TCP_9 0xbc45dfb7

  access-list VPN-ELXSI-Partner line 6 extended permit tcp host 192.168.34.6 host STV-FTP eq ftp (hitcnt=0) 0x4edb5f88

  access-list VPN-ELXSI-Partner line 6 extended permit tcp host 192.168.34.6 host STV-FTP eq ftp-data (hitcnt=0) 0x5c99b6c1

access-list VPN-ELXSI-Partner line 7 extended permit tcp host STV-FTP host 192.168.34.6 object-group DM_INLINE_TCP_10 0xe54e2bf7

  access-list VPN-ELXSI-Partner line 7 extended permit tcp host STV-FTP host 192.168.34.6 eq ftp (hitcnt=0) 0xd5d7e5b4

  access-list VPN-ELXSI-Partner line 7 extended permit tcp host STV-FTP host 192.168.34.6 eq ftp-data (hitcnt=0) 0xdf8153e8

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: