2

I have a Windows 2012R2 server acting as remote desktop gateway for a number of RDSH servers inside the perimeter, and have a firewall between it and the Internet allowing access from outside to that gateway. Our users report problems that their RDS connections via that gateway occasionally break with errors related to RDG server drop, while RDG only reports "client disconnected" with statistics. Investigation has discovered that the firewall is overloaded at times, dropping packets from its input queue. Sadly, firewall is an appliance that is not easily replaced (replacement will take some 6 months, and the problem is of course to be solved yesterday), so I have to make my RDG work in a network that's congested by default.

Are there any settings that I can apply to RDG so that it won't drop UDP connections for an extended period of time, or maybe not advertise UDP connection at all, just to make sure that eventually TCP would push a L3 packet through the firewall and the connection won't break?

Vesper
  • 754
  • 1
  • 9
  • 29

1 Answers1

1

RDP is pretty lighweigh, I recommand other thing for your router as it hit 100% CPU time. Rdp User found it drop, but Iam sure it affect you on other services

Following our comment I would suggest;

Try to save on CPU cycle for your appliance.

Normal port forward is not usally something that will put a high load on your appliance, as such please check around;

  • VPN use a lot of CPU cycle, as such;

-- If you have Site to Site VPN tunnel up, please validate when the %CPU is high if that follow high VPN usage.

-- If your appliance accept VPN user please validate how much are connected when the symptom arise, to see if you can limit such.

-- Please validate if your appliance exclude in the DPI the VPN usage.

  • DPI, it use a lot of CPU cycle too, as such; (if you cant disable it)

-- Validate your current WAN usage when the symptom appear, as a too high WAN link versus a small appliance with DPI will get it CPU maxed.

-- If you do inter zone routing in the firewall, validate if DPI is run against those packets as well.

Most of all check if you can run a debug when the symptom appear, as some appliance allow to see what cause the high cpu usage, like a linux top command.

If you can't save on CPU cycle, I suggest;

  • Rent a router for the time you buy a new's one, some vendor allow that, like we do at our job, we just do the bill minus the rent later on.

  • or get a new IP at your ISP and use a small soho router for the forward, to completly remove that traffic from your main router.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • The device is just pretty old (cisco 2811 running in HA with active/standby configuration), it has software NAT (so port forwarding also puts load on the CPU) and quite an extensive set of functions (inter-VLAN routing, IPsec, dozens of standby IP addresses, ACLs), so there's not too much in there to save on CPU on that device. About splitting IPs and networks between routers - a tad harder although doable, the problem is rack space, there isn't any left to put another router for this purpose. However, will toss that to boss, thanks. – Vesper Oct 15 '17 at 11:26
  • Reviewed network configuration - well, it's pretty hard to move either RDG or RDSHs so that external traffic would go through a different firewall. The problem is existing VPNs and the requirement for all of these servers to be able to access resources beyond that VPN (there's a DFS and similar stuff in place). L7 inspection is already off for this traffic. So, the only way seems to be to replace the FW. – Vesper Oct 16 '17 at 07:53