Skip to main content
A
Anonymous_User
Contributor
July 22, 2005
Question

Remote Desktop Connection session is dropping very often

  • July 22, 2005
  • 8 replies
  • 16353 views
Greetings all, I have a client that has FG-60 with the latest OS in their head office, and also FG-50 are sitting in their remote sites. The head office and remote sites are connected via private network, however when the remote sites are trying to have RDC into the PCs in the head office over those FGs, they' re experiencing session drop off. It happens like 10 - 20 times during the business hours. When they take the FG-50 out of the network and runs RDC directly from the PC, it runs smoothly without any problems. Do you guys aware if there' s a session time out with FG-50 when it' s in idle stage? I was guessing that caused by the faulty power supply that doesn' t give enough power to the FG that gives intermittent connectivity. Apart from that, I really have no idea why this is happening... Any suggestions guys? Thanks before. Cheers Jascha

    8 replies

    A
    Anonymous_UserAuthor
    Contributor
    July 22, 2005
    No, it has nothing to do with how much power is going into the box. Your problem is most likely a session timeout. The default on the Fortigate is 300 seconds (5 minutes) which is quite short for an RDP connection. I usually set port 3389 for a timeout for something between 28,800 (8 hours) and 43,200 (12 hours). That way I get no calls on the problem. Session timeout is a common problem. I have also seen this to be a problem with Outlook connecting to Exchange over a VPN.
    A
    Anonymous_UserAuthor
    Contributor
    July 24, 2005
    Hi Trombone, Thanks for your reply, however I' m quite new with Fortigate. Could you tell me where can I set the timeout on specific ports? I' m using Firmware 2.50 Build 299. Thanks again. Cheers
    A
    Anonymous_UserAuthor
    Contributor
    July 25, 2005
    I found something in the docs that looks like it. In CLI it seems to be at config system session_ttl config port edit 1494 set timeout 28800 end end Since I am new to Fortigate I really don' t know if this is correct. I will try, but you try at your own risk :-) port 1494 is citrix winframe which is my current problem regarding session hangups. @ Trombone: Is this the setting you refer to? Thanks, Stefan
    A
    Anonymous_UserAuthor
    Contributor
    July 25, 2005
    I tested the commands listed above. My problem of freezing of the citrix client persists unfortunately. If this was the setting Trombone meant, it doesn' t help with my situation. I will do further tests.
    A
    Anonymous_UserAuthor
    Contributor
    July 25, 2005
    Hi Stefan, Here' s what I got from the knowledge center: V 2.80 config system session_ttl set default 300 config port edit 8787 set timeout 3600 next end end I haven' t checked this up yet, because it' s only available for firmware version 2.80, while I' m using FG-50 (they can only use firmware version 2.50, and I' m using the latest firmware for FG-50 V2.50 build 321). I don' t think the above command list is appropriate to be used for V.2.50. Anyone knows? Thank you.
    A
    Anonymous_UserAuthor
    Contributor
    July 26, 2005
    Hi Jascha, your settings seem pretty similar to mine, only that I don' t set a default. Don' t know what the " next" is for, though... And I of course use the citrix port, not 8787. Anyhow the settings didn' t work for me. I think I found the problem, at least the situation got better now, but still needs further testing. I changed the Keylife in the IPSEC phase2 Advanced Parameters to 7100 on one side and 7200 on the other side. The freezes seem to be less frequent now. I am waiting for a report of times when the freezes happen and will review the logs for keyexchanges that match the freezes. I will post the results.
    A
    Anonymous_UserAuthor
    Contributor
    July 26, 2005
    If this helps I have an IPSEC VPN between a sonicwall and a Fortigate wifi 60 My keylife is set to 172800 on both ipsec keylifes and my remote clients use Citrix. 7200 is only 2 hours - maybe set it to last about 12 hours. a longer keylife between negotiations at least allows it not to kill a connection in the middle of a session. Also, try lightenng up on on some of the encryption if it seems to have trouble establishing a connection.
    A
    Anonymous_UserAuthor
    Contributor
    July 27, 2005
    I am relatively new to VPN, so perhaps I am not right here... I always supposed the phase2 keyexchange should be working transparently without killing sessions? Is it normal that during keyexchanges no traffic flows (which would be the explanation why the sessions die)? And what security implications does it have to increase keylife from 30 minutes to 12 hours or so? In my understanding there will be much more traffic to analyse and bruteforce the keys of. Is there a way to tell how much traffic should be allowed before changing keys for security reasons? Thanks for all the help!
    A
    Anonymous_UserAuthor
    Contributor
    July 27, 2005
    Hi Stefan, I think you' re right about phase2, it should work transparently without killing sessions. There' s not much thing I could help on this one, but this may explain it why your VPN session to the Citrix keeps dropping off: http://kc.forticare.com/default.asp?id=251&Lang=1 If not, maybe anyone could help? Cheers
    A
    Anonymous_UserAuthor
    Contributor
    July 27, 2005
    Hi Jascha I tested a few things out and got the problem reduced to a few things: The tunnel seems to work ok during keyexchange. I tested this by connecting to the Webinterface of the remote Fortigate unit and refreshing the VPN monitor to see what happens when the timeout kicks in. I experienced no delay. Nevertheless a few seconds after the timeout the citrix-client froze. I don' t think its a DHCP issue. It is correct that the remote site has a dynamic ip but the vpn seems to go on, at least to the webinterface. I believe it is a bug in MR10. I will try one other thing later and switch from main mode to aggressive mode to test if the problem is caused by using main mode with a dynamic ip, but since the tunnel seems to work fine (at least for the webinterface) I don' t think that is the meatter. Thanks!
    A
    Anonymous_UserAuthor
    Contributor
    August 4, 2005
    Aggressive mode shows the same behaviour...
    A
    Anonymous_UserAuthor
    Contributor
    August 4, 2005
    I switched of " Enable perfect forward secrecy(PFS)" in the phase2 advanced settings. Still citrix-sessions get killed everytime the phase2 keys are changed. I will go back to my original settings and wait for another release, hoping the problems will be solved...
    Terms & ConditionsAccessibility statement