CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 7 of 7

Thread: Remote Desktop disconnects requently while using ssl-extender vpn.

  1. #1
    Join Date
    2015-04-02
    Posts
    4
    Rep Power
    0

    Default Remote Desktop disconnects requently while using ssl-extender vpn.

    We are having major issues with remote desktops sessions disconnecting and reconnecting very frequently while using the ssl-extender vpn. The vpn connection always stays up, it is just the rdp session that intereupts. We are using Gaia R77.30 with hotfix take 216 on open server. Our clients are Windows 10. It happens regardless of ISP and bandwidth settings in RDP.

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,018
    Rep Power
    12

    Default Re: Remote Desktop disconnects requently while using ssl-extender vpn.

    Quote Originally Posted by jjarnold View Post
    We are having major issues with remote desktops sessions disconnecting and reconnecting very frequently while using the ssl-extender vpn. The vpn connection always stays up, it is just the rdp session that intereupts. We are using Gaia R77.30 with hotfix take 216 on open server. Our clients are Windows 10. It happens regardless of ISP and bandwidth settings in RDP.
    I assume that all SNX users are using unique login/passwords and not sharing one account?

    Does the RDP interruption happen at fixed, regular intervals or seemingly randomly? Do they happen to correspond to any of these default timers (or whatever you may have possibly changed them to):

    Mobile Access Blade...Additional Settings...Session...Re-authenticate users every 120 minutes
    Mobile Access Blade...Additional Settings...Session...Disconnect idle sessions after 60 minutes
    Gateway Object...VPN Clients...Office Mode...Optional Parameters...IP lease duration: 15 minutes
    Global Properties...Remote Access...SSL Network Extender...Re-authenticate user every: 480 minutes
    Global Properties...Remote Access...SSL Network Extender...Client sends keepalive packets every: 20 seconds

    Also check the Session and Aggressive Aging Timeouts for service Remote_Desktop_Protocol and ensure they have not been changed to a ridiculously low value.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  3. #3
    Join Date
    2006-09-26
    Posts
    2,974
    Rep Power
    13

    Default Re: Remote Desktop disconnects requently while using ssl-extender vpn.

    Quote Originally Posted by ShadowPeak.com View Post
    I assume that all SNX users are using unique login/passwords and not sharing one account?

    Does the RDP interruption happen at fixed, regular intervals or seemingly randomly? Do they happen to correspond to any of these default timers (or whatever you may have possibly changed them to):

    Mobile Access Blade...Additional Settings...Session...Re-authenticate users every 120 minutes
    Mobile Access Blade...Additional Settings...Session...Disconnect idle sessions after 60 minutes
    Gateway Object...VPN Clients...Office Mode...Optional Parameters...IP lease duration: 15 minutes
    Global Properties...Remote Access...SSL Network Extender...Re-authenticate user every: 480 minutes
    Global Properties...Remote Access...SSL Network Extender...Client sends keepalive packets every: 20 seconds

    Also check the Session and Aggressive Aging Timeouts for service Remote_Desktop_Protocol and ensure they have not been changed to a ridiculously low value.
    To rule out it is a checkpoint issue, I recommend that you enable "keep alive" on the remote desktop session. Once you've done that, let see if you still have issues: http://jbcomp.com/keeping-remote-des...ections-alive/

  4. #4
    Join Date
    2015-04-02
    Posts
    4
    Rep Power
    0

    Default Re: Remote Desktop disconnects requently while using ssl-extender vpn.

    Quote Originally Posted by ShadowPeak.com View Post
    I assume that all SNX users are using unique login/passwords and not sharing one account?

    Does the RDP interruption happen at fixed, regular intervals or seemingly randomly? Do they happen to correspond to any of these default timers (or whatever you may have possibly changed them to):

    Mobile Access Blade...Additional Settings...Session...Re-authenticate users every 120 minutes
    Mobile Access Blade...Additional Settings...Session...Disconnect idle sessions after 60 minutes
    Gateway Object...VPN Clients...Office Mode...Optional Parameters...IP lease duration: 15 minutes
    Global Properties...Remote Access...SSL Network Extender...Re-authenticate user every: 480 minutes
    Global Properties...Remote Access...SSL Network Extender...Client sends keepalive packets every: 20 seconds

    Also check the Session and Aggressive Aging Timeouts for service Remote_Desktop_Protocol and ensure they have not been changed to a ridiculously low value.
    They all have unique logins. All the Global properties are set to default, we haven't changed those. What has changed is the use of Windows 10. We have some employees who use Apple I-pads and have no problems whatsoever. We installed the hotfix suggessted by Tech support, but are still having the problems although a little less frequently. I did a packet capture on the client and found it is sending a tcp reset packet to the firewall, but don't know why?

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,018
    Rep Power
    12

    Default Re: Remote Desktop disconnects requently while using ssl-extender vpn.

    Quote Originally Posted by jjarnold View Post
    They all have unique logins. All the Global properties are set to default, we haven't changed those. What has changed is the use of Windows 10. We have some employees who use Apple I-pads and have no problems whatsoever. We installed the hotfix suggessted by Tech support, but are still having the problems although a little less frequently. I did a packet capture on the client and found it is sending a tcp reset packet to the firewall, but don't know why?
    Hmm the fact that it only happens with Windows 10 systems is a bit suspicious, but try the following:

    1) On the firewall run the command "ips off", wait 60 seconds, then launch a new RDP connection from one of the afflicted Win10 systems. Does it make any difference? Don't forget to run "ips on" when finished!

    2) Prior to actually connecting with the RDP client, go into its settings and disable everything you possibly can on every tab, especially any local resources the client is trying to share across the session. Now connect, any improvement?

    3) This may not work at all due to DLL dependencies and such, but grab a copy of mstsc.exe from a Windows 8 system and run it on the Win10 system to make the RDP connection. Any improvement?
    Last edited by ShadowPeak.com; 2017-03-17 at 18:37.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  6. #6
    Join Date
    2010-08-19
    Location
    Finland
    Posts
    26
    Rep Power
    0

    Default Re: Remote Desktop disconnects requently while using ssl-extender vpn.

    We noticed same kind of behaviour with customer's Check Point SSL Extender. Users think that the connection drops only through WLAN/LAN connection through our own Check Point GW, but not through e.g. 4G mobile connection. I don't see any implications of this in GW logs. And I don't think I want to try IPS off even for few minutes.

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,321
    Rep Power
    8

    Default Re: Remote Desktop disconnects requently while using ssl-extender vpn.

    Quote Originally Posted by sohannin View Post
    We noticed same kind of behaviour with customer's Check Point SSL Extender. Users think that the connection drops only through WLAN/LAN connection through our own Check Point GW, but not through e.g. 4G mobile connection. I don't see any implications of this in GW logs. And I don't think I want to try IPS off even for few minutes.
    Can you try disabling securexl? I've seen this a few times where a securexl bug prevents the tcp idle times from changing from half open (30 seconds) to established (3600).

    I'd try off hours if you have much of a load on the firewall.

    fwaccel off

    try to reproduce

    fwaccel on

    to turn back on.

Similar Threads

  1. Remote desktop add-on
    By fbelevan in forum Mobile Access Blade (Formerly Connectra)
    Replies: 2
    Last Post: 2012-10-29, 05:19
  2. SSL Network Externder problems With Remote Desktop
    By lfernandez in forum SNX - SSL Network Extender
    Replies: 0
    Last Post: 2009-06-17, 19:55
  3. remote desktop to a secure client
    By decurion in forum SecureClient/SecuRemote
    Replies: 7
    Last Post: 2008-12-02, 14:02
  4. SmartPortal and Remote Desktop
    By Gutts in forum SmartPortal
    Replies: 0
    Last Post: 2007-10-02, 10:27
  5. Remote Desktop Over Checkpoint VPN
    By pmahoney in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 13
    Last Post: 2006-07-20, 10:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •