IPsec VPN connection, Windows RDP keep dropping

UFS

I have IPsec VPN connection between main office and branch. I have computers(XP, Win7,Win10) at main office. Users at branch will use windows RDP connect to computers at Main office. 

The RDP session Intermittent drop.

How to resolve this issue?

Both sites use Flex 500 firewall.

Zyxel_Cooldia

Hi @UFS,

Welcome to Zyxel community. 
Can you send me both site configuration file in PM for further checking?

Mad_cha

Hi @Zyxel_Cooldia   I have the same issue.

I have IPsec VPN connection between main office and branch. I have computers on windows 10 at main office. Users at branch will use windows RDP connect to computers at Main office. 

The RDP session Intermittent drop.

How to resolve this issue please ?

Both sites use usg60.

Thanks a lot.

mMontana

It's used only for RDP? Or it's steadily working for other tasks/transfers?

During RDP Session, could you log if the tunnel is still built and/or capable of transfer?

Did you setup correctly the ingress and egress capabilities of your WAN connections on both side?

Did you created any BMW rule for keeping the RDP slowly but steadily working?

PeterUK

Seeing the same problem with VPN300 V5.10(ABFC.0) by 4G to Zywall 110 V4.70(AAAA.0)ITS-WK46-r102519 by cable site to site tunnel. The problem can take 10-20mins and the tunnel does not seem to drop going by the logs and uptime.

I set the PC1 to ping the remote PC and RDP to it with a ping to 8.8.8.8

I have another PC2 also ping the remote PC

When the RDP drop happens PC1 and PC2 ping drop but the ping to 8.8.8.8 is fine

Might do a local site to site for testing.

Mad_cha

Hi @mMontana ,

It's used only for RDP? Or it's steadily working for other tasks/transfers?

Both

During RDP Session, could you log if the tunnel is still built and/or capable of transfer?

Yes

Did you setup correctly the ingress and egress capabilities of your WAN connections on both side?

Yes

Did you created any BMW rule for keeping the RDP slowly but steadily working?

I don't know how to do this.

I read this

"There was a setting in the Firewall that would "flush states for a gateway that goes down". That was the default setting. Checking the tick box "overrides this setting by not clearing states for existing connections." Checking that box prevented the disconnects. I was able to RDP for over an hour and no disconnects."

But i dont know where it is on zyxel

PeterUK

Do you know if your tunnel is by protocol 50 or UDP 4500? doing a local site to site with protocol 50 shows it to be stable with RDP I think the problem might have to do with NAT-T

Zyxel_Cooldia

Hi @Mad_cha,
Please hit CLI Router# debug system no-udp-disperse active and test if it is stable in RDP connection.

PeterUK

Zyxel_Cooldia said:

Hi @Mad_cha,
Please hit CLI Router# debug system no-udp-disperse active and test if it is stable in RDP connection.

Did that both ends RDP still drops out

PeterUK

It definitely has to do with NAT-T UDP 4500 I did a local test with three routers so that the tunnel uses NAT-T UDP 4500 and RDP dropped the problem does not happen if the end points use protocol 50 WAN IP to WAN IP.

How I tested

VPN300

PC 192.168.255.51 to 192.168.138.2 RDP PC and ping

ge5 192.168.255.49/28

ge4 external

IP 192.168.2.2/24 gateway 192.168.2.2

site to site IP 192.168.4.1

ge4 to VPN2S LAN2

VPN2S

LAN2

IP192.168.2.1/24

WAN2 port 4 NAT

IP 192.168.4.2/24 gateway 192.168.4.1

Port4 to Zywall 110 WAN2

Zywall 110

WAN2

IP 192.168.4.1/24

site to site with Dynamic Peer

LAN2 192.168.138.1/28

PC 192.168.255.51 to 192.168.138.2 RDP PC and ping

PeterUK

For anyone having this problem its to do with being behind NAT and on the nailed up side a workaround that seems to work on the nailed up side is to make a firewall rule from WAN/OPT to zywall service NATT UDP 4500.