Remote Desktop Intermittent failures

[sedate-ed]

Sorry this is so long (the end of the message has the applicable event
viewer error messages)!

I have been having some intermittent problems when I try to connect to my
home network from where I work using remote desktop (RDP). I have Comcast
cable internet, and I connect through a Netgear FR114P NAT router with SPI
firewall (most recent released firmware applied). I have set the router to
allow port forwarding to the PC running Remote Desktop (3389) only from the
IP address of where I work (and to drop all other requests from any other
IPs). On the PC running Remote Desktop I also run Kerio Personal Firewall
2.1.5 (the PC is WinXP Pro SP2 with the Windows Firewall disabled - since I
use Kerio). In general, I can connect, and things are relatively normal.
Intermittently, however, when I try to connect, as soon as I enter the login
information, the RDP connection is disconnected, and I am unable to
reconnect remotely after that.

When this happened today, I connected to another PC on my home network
(Win2000 server-SP4, running Citrix MF 1.8-SP4 Feature Release 1--not
running Active Directory, it is in Workgroup mode). The connection is
normal. In the Citrix session, I tried to connect using the RDP client I
have installed on the Citrix PC just to see if I could connect to the "RDP
PC" locally, but it doesn't connect, it times out. Just for kicks, I tried
to connect to the admin shares (file and printer sharing) on the RDP PC from
the Citrix session, and I could connect (which told me the RDP PC is still
up and running, just not accepting RDP connections). On the Citrix PC I
also have a "Remote shutdown" utility that I tried to use to reboot the RDP
PC (my thinking being that whatever services have stopped, will once again
restart with a fresh boot). The remote shutdown utility failed to restart
the computer. (The remote utility is made by MATCODE software, and is the
freeware GUI version which requires that RPC is running on the remote
computer to be rebooted).

Another thing I did, was to run a tracert to my home IP address from work.
I only got a chance to run it a couple of times, and both times it shows a
"request timed out" at around the 15th hop (the address being an att.net - I
am a Comcast Customer that was formerly an ATTBI network, so my guess is
that the time out is after the request has already made it into the Comcast
network). Maybe this timeout is because my router is set to drop ping
requests???

When I got home and was physically in front of my PC (RDP PC that is, sorry
this is confusing!!!), the PC is "locked" for all intents and purposes. The
screen is black (LCD monitor says no signal). The keyboard and mouse do not
respond. The only way out that I could see was the dreaded hard reset
(followed by a chkdsk /f and reboot, of course).

This is *not* the first time I have had this problem, but it does not occur
with regularity, just often enough to be a major PITA! I have tried
updating video drivers (ATI 9800 AIW, using Nov2004 released ATI Catalyst
drivers and MMC), problem still occurs. I updated the firmware on my router
(and yes, I cleared back to defaults and manually re-entered my custom
firewall rules and services as per the Netgear firmware readme file). I am
just not sure whether I have a PC issue, ISP issue, or router issue (or some
combination of these). Any advice would be greatly appreciated.

Thank you,

Ed G.


Here are the applicable error messages I see in the Event viewer of the RDP
PC:

Event Type: Error
Event Source: TermService
Event Category: None
Event ID: 1006
Date: 12/15/2004
Time: 8:38:36 AM
User: N/A
Computer: ED2112
Description:
The terminal server received large number of incomplete connections. The
system may be under attack.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 46 38 4f a4 F8O¤

and

Event Type: Error
Event Source: TermService
Event Category: None
Event ID: 1006
Date: 12/15/2004
Time: 8:40:28 AM
User: N/A
Computer: ED2112
Description:
The terminal server received large number of incomplete connections. The
system may be under attack.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 52 00 44 00 50 00 2d 00 R.D.P.-.
0008: 54 00 63 00 70 00 00 00 T.c.p...
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 00 00 00 00 00 00 ........
0030: 00 00 00 00 00 00 00 00 ........
0038: 00 00 00 00 00 00 00 00 ........
0040: 00 00 ..

 

[Robin Walker]

I have been having some intermittent problems when I try to connect
to my home network from where I work using remote desktop (RDP). I
have Comcast cable internet, and I connect through a Netgear FR114P
NAT router with SPI firewall (most recent released firmware applied).
I have set the router to allow port forwarding to the PC running
Remote Desktop (3389) only from the IP address of where I work (and
to drop all other requests from any other IPs). On the PC running
Remote Desktop I also run Kerio Personal Firewall 2.1.5 (the PC is WinXP
Pro SP2 with the Windows Firewall disabled -
since I use Kerio). In general, I can connect, and things are
relatively normal. Intermittently, however, when I try to connect, as
soon as I enter the login information, the RDP connection is
disconnected, and I am unable to reconnect remotely after that.

Try completely uninstalling the Kerio firewall for a few days, and see
whether this problem occurs without Kerio being on the system.

Another thing I did, was to run a tracert to my home IP address from
work. I only got a chance to run it a couple of times, and both times
it shows a "request timed out" at around the 15th hop

This is irrelevant to your problem: timeouts on an intermediate hop of
traceroute are acceptable: if the traceroute completes at your home IP
address, then it is fine. Of course, you need to configure your NAT
router/firewall to respond to pings and traceroutes, otherwise the
traceroute will never complete.

Maybe this timeout is
because my router is set to drop ping requests???

If your router drops ping requests, you can infer nothing from traceroute
results. To test the reliability of your ISP connection from your
workplace, you must configure your router to reply to pins and traceroutes.

I am just not sure whether I have a
PC issue, ISP issue, or router issue (or some combination of these).

Mainly a PC issue, from the evidence you have posted. You are able to
communicate fine with other PCs on your LAN. You have no evidence of ISP
problems. It's possible that you have your router/firewall too strictly
configured, but if this were the case I would expect the symptoms to be
permanent. So as a first step, I would eliminate all 3rd-party software on
the PC that might be interfering, and the Kerio firewall is the most obvious
place to start.

 

[sedate-ed]

Try completely uninstalling the Kerio firewall for a few days, and see
whether this problem occurs without Kerio being on the system.


This is irrelevant to your problem: timeouts on an intermediate hop of
traceroute are acceptable: if the traceroute completes at your home IP
address, then it is fine. Of course, you need to configure your NAT
router/firewall to respond to pings and traceroutes, otherwise the
traceroute will never complete.


If your router drops ping requests, you can infer nothing from
traceroute results. To test the reliability of your ISP connection
from your workplace, you must configure your router to reply to pins
and traceroutes.

Mainly a PC issue, from the evidence you have posted. You are able to
communicate fine with other PCs on your LAN. You have no evidence of
ISP problems. It's possible that you have your router/firewall too
strictly configured, but if this were the case I would expect the
symptoms to be permanent. So as a first step, I would eliminate all
3rd-party software on the PC that might be interfering, and the Kerio
firewall is the most obvious place to start.

Thank you Robin. I will try disabling Kerio (although I have been running
it for about a year and a half with no problems); it does seem to be the
most obvious culprit! Also, thank you for the explanation of 'tracert' as I
wasn't sure exactly what it did (now I do; it is just showing the route of
packets by sending a ping and it shows the packets hitting each "router"
along the way - of course I would need my router to reply to pings. I will
temporarily enable pings on my router, and then run the tracert. Is there
anything that might show a possible problem in the route that I should look
for in the tracert results? I was suspecting ISP or router at first because
of the "incomplete packets" error in the event viewer but after reading your
reply, I can see that it may not be that simple - if you can call ISP
problems simple <g>!

I will report my findings (either way). I am open to all suggestions, as I
am quickly running out of ideas.

Ed G

 

[sedate-ed]

Mainly a PC issue, from the evidence you have posted. You are able to
communicate fine with other PCs on your LAN. You have no evidence of
ISP problems. It's possible that you have your router/firewall too
strictly configured, but if this were the case I would expect the
symptoms to be permanent. So as a first step, I would eliminate all
3rd-party software on the PC that might be interfering, and the Kerio
firewall is the most obvious place to start.

Well, Robin, I think you may have found the problem. Since disabling Kerio
2.1.5, not only have I not seen the original problem, but the speed of the
sessions are much faster (night and day difference). I tried completely
uninstalling and reinstalling (which I assume deletes all custom rules in
Kerio) I was able to reproduce the "RDP disconnect, then unable to
Reconnect" issue (once even over a LAN RDP session - which rules out the ISP
and Router as causes). Once I disable Kerio/reboot, RDP problems went away
again (hopefully for good)! Kerio served me well for over a year and a
half, but I have now switched to the Sygate Personal Firewall (the free
one), and it seems to be an adequate substitute for Kerio's rules-based FW.

Once again, I appreciate your response. Very helpful. Thank you, and Happy
Holidays to you!


Ed G.