Does anybody know if an RDP session over hardware VPN can be affected by the tunnel?
Network diagram is attached
If I try to RDP to a 2008 server on the 30.0 network from ANY (XP, VISTA, 7) client on the 20.0 network, my rdp session terminates with an error (Because of an error in data encryption, this session will end. Please try connecting to the remote computer again), however if I try to RDP from the same client on the 20.0 network to a 2003 server running on the same ESXi, the problem does not exist.
Also if I poke a hole (TCP 3389) in RV042 and make 2008 server accessible over RDP from outside, I don’t have any problems connecting to the 2008 server even from the laptop that was getting disconnected over hardware VPN.
P.S Transferring large files in any direction (over 300Mb) is NOT a problem from any computer on the 20.0 network to a 2008 server on the 30.0 network . (using windows shares \\Server2008\Public)
Solved! Go to Solution.
This could be a VPN issue, however, the error that you are getting on the Windows Machine is not related to the VPN tunnel. That is because the RDP session has its own encryption and the tunnel has its own. The encryption of the tunnel is never seen by the Machines because it is between the two routers itself. I suspect this might be an issue with the way packets are being fragmented. To fix this, you can try:
1. Reducing the MTU of the Machines. (Try decrementing to 1475, 1450 etc.)
2. Use 'crypto ipsec fragmentation before-encryption' command on both the routers.
This document is a little unrelated, however, should help you in understanding the dynamics of the packet transport:
Try going through the examples near the end of the document.
RV042 & RV082 routers don't have CLI so I don't think I can apply 'crypto ipsec fragmentation before-encryption'
will check MTU of the Machines shortly in the mean time I am attaching a wireshark trace from the client side (recorded on the same laptop while RDP session was initiated)
it disconnected around packet 1973, can anyone conclude anything from the trace or i need to get another one from the server side?
according to this thread, the error has something to do with the hardware VPN tunnel
What version of the remote access client software are you using in the xp and vista system? If its a 64 bit OS then we need to install client software version that supports 64 bit OS. Here is a link to the latest client software
You could try installing the latest version and check.
Srikanth K S.
Seems that the problem comes down to a MTU size issue. I read the document that you provided and the feature that they activated was some sorft of Packet size control. What is the device that you use for hardware client? Is there any option to increase the MTU size? You can use wireshark to see how large are the packets that you are sending to the HW client and adjust the MTU size on the interface of the HW client.
Hope this helps.
Tried to find the option for permitting fragmented packets on internet to help you out (As I think that would be a good option) but I could not find it. Regarding adjusting the MTU to the right value, Yes, wireshark needs to be placed between the modem and the router to check what is the size of the packets when they leave your router and what is the size that it is receiving it.
Hope it helps.
here is an update on the issue
I attempted to copy a file from a client computer on the 20 network to a share on a 2008 server on the 30 network I had no problems. Next, I grab the same file I just copied to the share and try to bring it back to the client using the same windows copy command. Immediately I am presented with an error.
“An unexpected error is keeping you from copying the file. If you continue to receive this error, you can use the error code to search for help with this problem” Error 0x80900006: Invalid Signature.
While copying files I had wireshark capturing on the client and seeing hundreds of duplicate ACKs and several lost segments every time I clicked Retry on the error message.