Hey Guys

Thanks for reading my questions, this forum is my last resort as I am out of ideas.

We have users that connect to a remote server outside of our network to perform some admin tasks and everything has been working fine until a few weeks ago. Users started complaining that their RDP session keeps freezing then drops completely with the error message "Your remote desktop services session has ended. The connection to the remote computer was lost, possibly due to network connectivity problems." I have tested this from multiple PCs and from multiple locations with the same result. The following was captured with Wireshark hopefully someone can shed some light on what's going on.

4145    213.992742000   source(my pc)   destination (remote server) TPKT    71  Continuation
4146    213.998031000   source(my pc)   destination (remote server) TPKT    981 [TCP Retransmission] Continuation
4167    219.778181000   source(my pc)   destination (remote server) TPKT    85  Continuation
4191    224.575355000   source(my pc)   destination (remote server) TPKT    1354    [TCP Retransmission] Continuation
4246    238.663506000   source(my pc)   destination (remote server) TCP 54  49322 > ms-wbt-server [RST, ACK] Seq=173138 Ack=27613 Win=0 Len=0

asked 19 Dec '12, 09:07

tlevin's gravatar image

tlevin
1111
accept rate: 0%

edited 19 Dec '12, 09:36

grahamb's gravatar image

grahamb ♦
7.8k224110


Well, 5 packets out of a complete stream is not a lot to go by when trying to find the source of the problem. But here goes anyway :-)

Assuming you captured near the client and that your capture and display filters did not filter out the packets coming from the server (you did see server packets earlier in the trace, didn't you?), then I would say that indeed the connection to the RDP server is interrupted. The client keeps sending data and retransmitting it, but it does not get a response (not even by an ACK at the TCP level) and finally shuts down the connection, which results in a TCP RST in frame 4246.

You might want to capture data on both the client side and the server side to verify that all packets do arrive at the RDP server.

I suspect there might be a statefull device (Firewall or LoadBalancer or similar) that might have dropped the session and now blocks traffic. What devices are on the path from the client to the RDP server?

link

answered 20 Dec '12, 02:50

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848217
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×8

Asked: 19 Dec '12, 09:07

Seen: 2,659 times

Last updated: 20 Dec '12, 02:50

powered by OSQA