Just to make sure I fully understand; would this be correct?
Remote Site > [RDP] >> WinServer'03_R2 > [RDP] >> W7_Client (End Point)
So no issues with RDP session to W2k3_R2, but when connected from the server to the W7 box you receive the error. Are connecting to a Windows domain? This sounds like there is a compatibility, or maybe authentication problem between the Server and W7. I do not have W7 readily available at the moment but will take a look. In vista, a more "secure" RDP session was introduced and that followed into W7. You may want to try to change the RDP setting to allow any type of connection (the least "secure") which would be the equivalent of XP RPD sessions. If that is already set, take a look at MS forums for more insight.
Thanks for your reply. I am afraid that I did not explain myself very well. The problem only occurs when I try to go straight from one Win7 machine to the other Win7 machine through the VPN and then only after a few seconds. Some times it works even as long as a minute before I receive the encryption error.
W7_Remote Site > [RDP] >> VPN tunnel > [RDP] >> W7_Client (End Point) - Error after a few seconds.
W7_Local Site > [RDP] >> LOCAL network > [RDP] >> W7_Client (End Point) - No error
W7_Remote Site > [RDP] >> VPN tunnel > [RDP] >> WinServer'03_R2 (End Point) - No error
W7_Remote Site > [RDP] >> VPN tunnel > [RDP] >> WinServer'03_R2 > [RDP] >> LOCAL network >> W7_Client (End Point) - No error
Both Win7 machines already have the RDP security setting set to 'less secure'. Connecting is not the problem. The seesion always ends abruplty because of the encryption error.
Since the error does not occur when I RDP between the two machines over a local network, but only when I RDP through the VPN, I know the error is caused by the VPN router.
have the exact same problem.
wrv200 at home. ipsec tunnelled to rv042 at work.
xp or vista pc at home can rdp via ipsec tunnel just fine to any of the xp machines at work.
set up a new win7 pc at the office.
- rdp to the win7 pc works from the xp machines at work (inside the lan, no tunnel involved).
- at home, i can rdp just fine to the win7 machine at work if i use port forwarding on the office router to bypass the ipsec tunnel. tested with both xp and vista pc's at home.
- however, at home i cannot rdp to the office win7 pc via the ipsec tunnel. it will log in just fine, but after a few seconds or a minute tops i get a "Because of an error in data encryption, this session will end." message and it boots me off.
the win7 pc will run rdp just fine and accepts requests even through port forwarding from the wan side, so whether it's a microsoft issue or a cisco issue, the ipsec tunnel definitely has something to do with the error.
Have not been able to replicate problem on W7 Ent. x64. Can you post phase1 & 2 configuration? Are the computers all part of a Domain, if so; is it a 2003 or 2008 Funtional Level domain?
Have you looked in event viewer for any run time errors, IPSec service crash etc.? Any information that like this would be very useful.
have tried using different NICs, and also tried with another computer at work that has win7 installed. exact same error for all alternatives.
the computers are not part of a domain.
ipsec tunnel parameters:
Keying Mode: IKE with Preshared key
Phase1 DH Group: Group5
Phase1 Encryption: 3DES
Phase1 Authentication: SHA1
Phase1 SA Life Time: 28800 seconds
Perfect Forward Secrecy: YES
Phase2 DH Group: Group5
Phase2 Encryption: 3DES
Phase2 Authentication: SHA1
Phase2 Life Time 3600 seconds
Aggressive Mode: YES
Compress (Support IP Payload Compression Protocol(IPComp)): No
AH Hash Algorith: MD5
NetBIOS Broadcast: No
NAT Traversal: No
Dead Peer Detection: YES, Interval 10 seconds
Found this item in the event viewer:
[ Name] TermDD
- EventID 56
[ Qualifiers] 49162
[ SystemTime] 2009-12-21T02:10:13.693243200Z
0000: 00040000 002C0002 00000000 C00A0038
0008: 00000000 C00A0038 00000000 00000000
0010: 00000000 00000000 D00A0006
0000: 00 00 04 00 02 00 2C 00 ......,.
0008: 00 00 00 00 38 00 0A C0 ....8..À
0010: 00 00 00 00 38 00 0A C0 ....8..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 06 00 0A D0 ...Ð
Phase2 Encryption: 3DES
Phase2 Authentication: SHA1
AH Hash Algorith: MD5
Again I have not been at work so I have not had a chance to test your settings exactly; but one thing stood out very clearly. In the settings above it is better (typically) to set the ESP encryption/decryption to NULL when we are using AH in the tunnel.
Another thing to take a look at, is time. Make sure both computer's time is correct and you do not have any other errors that may pertain to authentication.
Give that a go and let us know if we are making progress.
Sorry- my earlier details were incomplete. under Advanced > AH Has Algorithm, MD5 is selected in the drop-down box,but that parameter *does not* have a check mark.
sorry i'm not familiar with how to set ESP to null (i am a complete novice at this), but I did try disabling "perfect forward secrecy" on both routers. the tunnel re-established just fine after that (able to rdp to the xp machines at work using lan ip address, as before), but i still get the exact same error when trying to rdp to the win7 machines. i have tried this from 3 different computers at my house (2 vista, 1 xp), trying to log into 2 different windows 7 computers at the office, and still the same error in every case.
and much thanks, btw, for helping me try to troubleshoot over the weekend.
OK, at this point I feel that the problem may be with the certificate on the W7 machine. We need to take a closer look at the event log, but from the event you posted it is very similar to issues I ran into with Vista. What happens is that the W7 client tries to hand out its Certificate for authentication and when that fails, the RDP session drops. If this is the case we should be able to see an event stating that W7 client ended the session, not the other way around. If you feel comfortable, follow these steps to remove the certificate for RDP on the W7 clients:
Start > Run > mmc.exe
from mmc console select > File > Add/remove snap in > Certificates >>>> New Window > "Computer Account" > "Local Computer">> Finish and then OK
Expand Certificates > Remote Destop > Certificates > There should be one cert there with your computer name on it. **IMPORTANT** Before you continue:
Make a system restore point before you delete the cert or just take it out and save it in a different place. Just a precaution!
Once you have removed the cert try again and see if the problem is resolved. Once more though, make sure the time on all computers are correct as any computer connecting to the W7/Vista machine will cause it to regenerate a cert and the problem will persist as long as the time is not correct!
Dont worry about the AH setting, if it is not being used just leave it as is. No need to add more complexity.
just tried your steps and still getting the same error. also pls remember that i am able to rdp into these 2 very same windows 7 machines at the office if:
1) the client is on the same lan (i.e. another office pc); or
2) if the client is connected from the house via an open port in the office router
i did double check the clocks on all the computers involved though.
Yeah, did realize that the problem was basically on the tunnel only; just all other symptoms seemed all too familiar. Again, take a look at event logs and post anything of interest. Also ensure logging is enabled on the RV and we will take a look at that as well. It would be a good idea to dump all events and logs to begin log capture from momment of tunnel connection through a few attempts of the RDP connection.
At this point it may be best if you call the supprt center and open a support ticket. I will continue to assist as much as possible; and will test this tomorrow.
866.606.1866 Small Business Center.
I also tried the above step of removing the certificate, but it did not change anything. It is a tunnel issue. As I mentioned in my original post, I too can RDP to the WIN7 machine from on the local network, and through the tunnel only for several seconds. I can RDP to WINXP and Win 2003 machines through the tunnel without issue. My settings look the same as jtejavanija.
Thanks for helping us.
OK, this is what I have:
RV082 (Remote) ==> RV016 (Local)
Remote site is my computer running XP SP3 that will connect to W7 x64 ent.
Net Bios Broadcast
Dead Peer Detection
I have had this connection up for the 5 hours, and most of the time is has stayed idle. All computers are "Workgroup", and there is a DHCP and DNS server on both sides. I have changed that behavior to just use the router for DHCP and DNS but there was no effect. I am trying really hard to replicate this issue but at the momment I have not been able to.
Make sure you have all updates from MS for W7, and the computer you are using to connect from. At this point, we will really need to take a look at your router, and clients to see if there are any problems there. If you can post logs, from the routers and clients that would be great. I would like to make sure the tunnel is stable and running correctly.
I will continue to leave this RDP connection running and wait for either a time out, or disconnect. I really feel that the problem is on the W7 client but it is just a suspicion and not ruling out the router yet.
i solved the problem. i replaced the brand new RV042 i just bought with a new RVS4000 and that did the trick. all the settings are the same as your test case, except NET BIOS broadcast is disabled in our setup. i didn't change a single setting on the WRV200 that is on the other end of the tunnel.
i've had rdp up for nearly an hour now. i'm even typing this post via rdp.
RV042 had the latest firmware available on the cisco website as of this weekend
RVS4000 has a firmware build that is even newer than the one avaialable on the cisco site (i just received it today and it came that way)
a lot of internet chatter discusses how the RV042 is more reliable/stable than the RVS4000. but for us it turned out to be the opposite. i actually was prompted to do the replacement because i could not get quickvpn to work on the RV042, and i knew that it would work with the RVS4000 (we had one for many years and it finally died this month and i replaced it with the RV042 ... then i got the windows7 machine so we never tested win7 RDP w/ the old RVS4000).
either we had a defective RV042 unit, or there is something wrong with the model's hardware/firmware that is impeding RDP via IPSEC tunnel for win7.
THANK YOU again for your help in troubleshooting. i am a loyal linksys customer now because of this, despite my problems with the RV042.