cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Because of an error in data encryption, this session will end. Please try connecting to the remote computer again

net tech
Beginner
Beginner

Does anybody know if an RDP session over hardware VPN can be affected by the tunnel?

Network diagram is attached

If I try to RDP to a 2008 server on the 30.0 network from ANY (XP, VISTA, 7) client on the 20.0 network, my rdp session terminates with an error (Because of an error in data encryption, this session will end.  Please try connecting to the remote computer again), however if I try to RDP from the same client on the 20.0 network to a 2003 server running on the same ESXi, the problem does not exist.

Also if I poke a hole (TCP 3389) in RV042 and make 2008 server accessible over RDP from outside, I don’t have any problems connecting to the 2008 server even from the laptop that was getting disconnected over hardware VPN.

Any thoughts….

P.S Transferring large files in any direction (over 300Mb) is NOT a problem from any computer on the 20.0 network to a 2008 server on the 30.0 network . (using windows shares \\Server2008\Public)

1 ACCEPTED SOLUTION

Accepted Solutions

Hello Eugene,

Were you able to take the capture on the between the router and the modem? How big are the packets that you are receving from the endpoint on .30 network?

Mike

Mike

View solution in original post

14 REPLIES 14

ischeema
Beginner
Beginner

Hi eugenebord,

This could be a VPN issue, however, the error that you are getting on the Windows Machine is not related to the VPN tunnel. That is because the RDP session has its own encryption and the tunnel has its own. The encryption of the tunnel is never seen by the Machines because it is between the two routers itself. I suspect this might be an issue with the way packets are being fragmented. To fix this, you can try:

1. Reducing the MTU of the Machines. (Try decrementing to 1475, 1450 etc.)

2. Use 'crypto ipsec fragmentation before-encryption' command on both the routers.

This document is a little unrelated, however, should help you in understanding the dynamics of the packet transport:

Try going through the examples near the end of the document.

RV042 & RV082 routers don't have CLI so I don't think I can apply 'crypto ipsec fragmentation before-encryption'

will check MTU of the Machines shortly in the mean time I am attaching a wireshark trace from the client side (recorded on the same laptop while RDP session was initiated)

it disconnected around packet 1973, can anyone conclude anything from the trace or i need to get another one from the server side?

according to this thread, the error has something to do with the hardware VPN tunnel

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/51d005e2-8ac4-4fa8-bbf7-f8c2e3f4dce4?prof=required

Hi Eugene,

What version of the remote access client software are you using in the xp and vista system? If its a 64 bit OS then we need to install client software version that supports 64 bit OS. Here is a link to the latest client software

http://www.cisco.com/cisco/software/release.html?mdfid=281940730&flowid=4466&softwareid=282364316&os=Windows

You could try installing the latest version and check.

Regards,

Srikanth K S.

Srikanth K S.,

there is no vpn client. it's a gateway to gateway tunnel.

RV042 is running 1.3.12.6-tm   frimware

RV082 is running 2.0.0.19-tm frimware

Hello Eugene,

Seems that the problem comes down to a MTU size issue. I read the document that you provided and the feature that they activated was some sorft of Packet size control. What is the device that you use for hardware client? Is there any option to increase the MTU size? You can use wireshark to see how large are the packets that you are sending to the HW client and adjust the MTU size on the interface of the HW client.

Hope this helps.

Mike

Mike

Mike,

MTU is set to auto on both routers, but can be adjusted. Where do I need to place Wireshark? between WAN port of RV042 router and Cable modem?

Namit Agarwal
Cisco Employee
Cisco Employee

Hi ,

Have you tried unchecking the option "block fragmented packets" in the router RV042 on the .30 network side ?

Thanks,

Namit

Namit,

do you know what screen is "block fragmented packets" located on?

Hello,

Tried to find the option for permitting fragmented packets on internet to help you out (As I think that would be a good option) but I could not find it. Regarding adjusting the MTU to the right value, Yes, wireshark needs to be placed between the modem and the router to check what is the size of the packets when they leave your router and what is the size that it is receiving it.

Hope it helps.

Mike

Mike

here is an update on the issue

I attempted to copy a file from a client computer on the 20 network to a share on a 2008 server on the 30 network I had no problems. Next, I grab the same file I just copied to the share and try to bring it back to the client using the same windows copy command. Immediately I am presented with an error.

“An unexpected error is keeping you from copying the file. If you continue to receive this error, you can use the error code to search for help with this problem” Error 0x80900006: Invalid Signature.

While copying files I had wireshark capturing on the client and seeing  hundreds of duplicate ACKs and several lost segments every time I clicked Retry on the error message.

Hello Eugene,

Were you able to take the capture on the between the router and the modem? How big are the packets that you are receving from the endpoint on .30 network?

Mike

Mike

Mike,

Think was a fragmentation problem. I changed the MTU of RV042 from Auto to Manual and set it to 1492, which resolved the communication problem

Thank you for your help!

Hi Eugene,

I think that is great! I am glad I was able to help.

Cheers!

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: