Hi Guys,
This is my first post on here so please advise if I am leaving anything out, and thank you in advance.
Some background:
We are hosting a Remote Application on a Windows 2012 Server using a Windows 2012 Gateway utilising UDP RDP where possible. We have about 30 customer application servers all using the same Virtual Machine server template with the same Application and Windows Gateway server configuration and all 30 customers share the same proxy server. We use a Cisco ASA 5500-X Firewall - we have approximately 250 concurrent users connected however one customer often experiences RDP disconnects affecting all of their office users
No other customers experience these disconnects so I concluded it must be on their end and asked for them to perform a packet capture on their firewall, they agreed and sent me a pcap showing various 'RST' and 'RST, ACK' originating from my firewall. I checked the TTL value and it's consistent with previous packets so I am certain it did come from my Firewall, however during the disconnect there are a whole bunch of 'FIN, ACK' 'RST ACK' and 'RST' coming from mostly my side.
I can then see their Firewall trying to initiate a 'SYN' but my firewall responding with a 'RST, ACK'. From my limited knowledge I checked the Port number it was trying to connect to - '443' now I am certain this port was open as all other customers were connected and we had no other customers complain.
There is a block of constant SYN > RST, ACK until it finally connects and my firewall responds with a SYN, ACK.
When their disconnections occurred the first packet that before the RST storm is a 'RST, ACK' sent from my Firewall to their Firewall, then there a storm of RST, ACK, FIN, ACK and SYN's occur.
Has anyone seen this before, I am sure you have and what further information do you need from me?
Thanks
