Why can't i remote desktop through my site-to-site ipsec vpn?

By troyreynolds ·
The last step in our new equipment installation/upgrade and I'm absolutely stumped.

Here's what we have going on... Two Cisco 2801's with identical IOS's and perfectly mirrored configs, one on a cable conection and one on a fiber connection, ipsec vpn up and connected between them through the internet. I can ping, telnet, and remote into the LAN(s) from anywhere.

Remote Desktop works, to a certain point. If Ii am on the local lan, I can RDC between the computers, both ways. If I remote from the internet into one of the LANs Ii can RDC, and if I remote from one lan into the other LAN I can RDC... but I CANNOT RDC using only the ipsec tunnel established between them.

I've been searching up and down the internet for solution but most come back to MTU problems... it can't be MTU on the 2 pc's because they can remote locally, and through the internet... so those mtu's are fine...

however, if I look on both my routers, no mtu is set, and it won't let me configure one, and I'm assuming it's because I'm not using DSL or T1 with any type of encapsulation.

This has been driving me nuts for over a week. Someone help me, please!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Are you allowing TCP port 3389 through your firewall?

by ManiacMan In reply to Why can't i remote deskto ...

RDP is a very simple protocol and uses TCP port 3389 to establish remote connectivity. It doesn't matter if you RDP to a public IP address that uses NAT to translate back to a private IP or use it through a VPN by targeting the local LAN IP of the target host machine, but the point is that TCP port 3389 must be allowed through the firewall for RDP traffic to pass through. To test this, establish the VPN connection and try to telnet to the remote machine on port 3389 using the following command:

C>telnet <IP or name of remote PC> 3389

If you get a screen with a blinking cursor, then RDP is working OK through the tunnel. If you get a timeout, then you're blocking the traffic on that port. Also, make sure that if the Windows firewall is enabled on the PC, that RDP is marked as an exception.

Collapse -

Yes, I believe 3389 is allowed

by troyreynolds In reply to Are you allowing TCP port ...

In my investigation I noticed a lot of problems with the port not being allowed, so I created a new access list allowing TCP traffic to and from any host on port 3389.

What's weird is... the connection is there, and it'll pull up a screen (a black screen) and I don't get a password prompt, the connection times out and disappears. I tried the telnet thing but I couldn't connect that way either, so i don't know where the traffic would be blocked from if I opened up that port on my router with:

access-list 115 permit tcp any eq 3389 any eq 3389

Although, this may help someone to find me a solution, but my problem is only half as bad as I had thought... here's a diagram:

PC1 <-> RT1 <-> INTERNET <-> RT2 <-> PC2

now, from PC1 I can ping all the way to PC2, but I can not remote to PC2; from the internet (my house) I can remote to PC2, but not to PC1... my problem is definitely in RT1 but I have no idea what it could be...

Collapse -

A site to site static vpn

by Dumphrey In reply to Are you allowing TCP port ...

allows full access between the sites unless other wise configed... It should work just fine. It is possible that bandwidth si an issue, but I am able to RD between two agencies using a site to site vpn. Also, it maybe the 2600 is not as effecient at vpn end pointing as the pix we use?

Try setting up VNC between the sites to see if that works. Also, are both connections using static IP addresses? If not, part of the VPN acl could be invalid, limiting access.

Collapse -

well here's some interesting information...

by troyreynolds In reply to Why can't i remote deskto ...

through pure luck, and some trial and error, i discovered that i CAN remote desktop just fine through my routers... HOWEVER i could only do it in 640x480 and 256 colors... anything other than that i couldn't do... i made some changes on the remote pc and now it works fine... but as an additional test we hooked up our old win2k server to see if i could remote to it, and again i'm getting the same issue... a pure black screen, but i can ping it, and remote from the local lan... but this time, even the 640x480/256 doesn't work... i just get a black screen and a disconnect message... i'm getting more confused by the second...

Collapse -


by jcombs In reply to well here's some interest ...

Did you ever find out a solution? I am having the same issue except I am unable to remote using your settings.

Collapse -

Either split-tunnell

by Dumphrey In reply to Why can't i remote deskto ...

or DNS. by default a Cisco VPN does not like to allow traffic coming in and out...
On our pix I had to explicitly tell it to use split tunnel and an acl allowing the correct ips of the vpn dhcp group.
The other option is dns issue, can you RD using ip instead of dns?

Collapse -

Got it

by jcombs In reply to Why can't i remote deskto ...

I got it I had to add the following to my config file

crypto ipsec df-bit clear

read more about it here

Related Discussions

Related Forums