Announcement

Collapse
No announcement yet.

Unstable Remote Desktop sessions - Why server sent RST packet to the client?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unstable Remote Desktop sessions - Why server sent RST packet to the client?

    Server OS: Microsoft Windows Server 2003 Standard Edition
    Client OS: Microsoft WindowsXP
    Firewall: Cisco ASA5520

    Problem: Unstable Remote Desktop sessions. Users managed to get in into RDP server, however the RDP session was disconnected after a few seconds

    This problem start after new firewall installed between the client and the server.

    Firewall has allowed the RDP traffic and from the log, it shows that traffic has been hit the firewall and passed to the server.

    I've captured the packet between the client and server and found out that Server have sent RST packet to terminate the connection. As far as I know, the normal way to terminate the connection is by sending FIN packet, not RST packet.

    Here is the log that I've captured.

    1. Packet 1-3 = TCP 3 way handshake
    1: 15:38:27.279373 1.1.1.1.2001 > 2.2.2.2.3389: S 945100646:945100646(0) win 64512 <[|tcp]>
    2: 15:38:27.280381 2.2.2.2.3389 > 1.1.1.1.2001: S 2051713410:2051713410(0) ack 945100647 win 16384 <[|tcp]>
    3: 15:38:27.280548 1.1.1.1.2001 > 2.2.2.2.3389: . ack 2051713411 win 64860

    2. Next packets = Data transfer
    4: 15:38:27.280731 1.1.1.1.2001 > 2.2.2.2.3389: P 945100647:945100685(3 ack 2051713411 win 64860
    5: 15:38:27.282273 2.2.2.2.3389 > 1.1.1.1.2001: P 2051713411:2051713422(11) ack 945100685 win 65497
    6: 15:38:27.282517 1.1.1.1.2001 > 2.2.2.2.3389: P 945100685:945101097(412) ack 2051713422 win 64849
    7: 15:38:27.283859 2.2.2.2.3389 > 1.1.1.1.2001: P 2051713422:2051713759(337) ack 945101097 win 65085
    8: 15:38:27.284119 1.1.1.1.2001 > 2.2.2.2.3389: P 945101097:945101109(12) ack 2051713759 win 64512
    9: 15:38:27.284164 1.1.1.1.2001 > 2.2.2.2.3389: P 945101109:945101117( ack 2051713759 win 64512
    10: 15:38:27.284851 2.2.2.2.3389 > 1.1.1.1.2001: . ack 945101117 win 65065

    3. Traffic 1507-1531 = Looks like something wrong. Client keep sending PUSH packet but there is no reply from the server
    1507: 15:41:13.642834 1.1.1.1.2002 > 2.2.2.2.3389: . ack 2704599296 win 64365
    1508: 15:41:14.267137 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155009:2294155031(22) ack 2704599296 win 64365
    1509: 15:41:14.364559 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155031:2294155069(3 ack 2704599296 win 64365
    1510: 15:41:14.474722 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155069:2294155142(73) ack 2704599296 win 64365
    1511: 15:41:14.586960 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155142:2294155215(73) ack 2704599296 win 64365
    1512: 15:41:14.698877 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155215:2294155288(73) ack 2704599296 win 64365
    1513: 15:41:14.810825 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155288:2294155361(73) ack 2704599296 win 64365
    1514: 15:41:14.845949 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155009:2294155361(352) ack 2704599296 win 64365
    1515: 15:41:14.922666 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155361:2294155385(24) ack 2704599296 win 64365
    1516: 15:41:15.018752 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155385:2294155430(45) ack 2704599296 win 64365
    1517: 15:41:15.143745 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155430:2294155510(80) ack 2704599296 win 64365
    1518: 15:41:15.283814 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155510:2294155527(17) ack 2704599296 win 64365
    1519: 15:41:16.049161 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155009:2294155527(51 ack 2704599296 win 64365
    1520: 15:41:16.114740 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155527:2294155544(17) ack 2704599296 win 64365
    1521: 15:41:16.226688 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155544:2294155610(66) ack 2704599296 win 64365
    1522: 15:41:16.339185 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155610:2294155676(66) ack 2704599296 win 64365
    1523: 15:41:16.578888 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155676:2294155735(59) ack 2704599296 win 64365
    1524: 15:41:16.674601 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155735:2294155794(59) ack 2704599296 win 64365
    1525: 15:41:16.783589 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155794:2294155860(66) ack 2704599296 win 64365
    1526: 15:41:16.898909 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155860:2294155905(45) ack 2704599296 win 64365
    1527: 15:41:16.978754 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155905:2294155971(66) ack 2704599296 win 64365
    1528: 15:41:17.090952 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155971:2294156009(3 ack 2704599296 win 64365
    1529: 15:41:17.155204 1.1.1.1.2002 > 2.2.2.2.3389: P 2294156009:2294156075(66) ack 2704599296 win 64365
    1530: 15:41:17.266999 1.1.1.1.2002 > 2.2.2.2.3389: P 2294156075:2294156169(94) ack 2704599296 win 64365
    1531: 15:41:17.394327 1.1.1.1.2002 > 2.2.2.2.3389: P 2294156169:2294156207(3 ack 2704599296 win 64365

    4. Server send TCP RST packet to the client and tear down the connection
    1532: 15:41:17.394480 2.2.2.2.3389 > 1.1.1.1.2002: R 2704599296:2704599296(0) ack 2294156207 win 64365

    5.
    Next packet after that, client re-establish the connection by starting TCP 3 way handshake again.
    1533: 15:41:17.466742 1.1.1.1.2003 > 2.2.2.2.3389: S 4001027756:4001027756(0) win 64512 <[|tcp]>
    1534: 15:41:17.467779 2.2.2.2.3389 > 1.1.1.1.2003: S 163110938:163110938(0) ack 4001027757 win 16384 <[|tcp]>
    1535: 15:41:17.467947 1.1.1.1.2003 > 2.2.2.2.3389: . ack 163110939 win 64860

    Is there any settings in the server or firewall that I should look? Thanks


  • #2
    Re: Unstable Remote Desktop sessions - Why server sent RST packet to the client?

    I don't see a response from the server while trying to use RDP.
    Is the server listening on port 3389?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Unstable Remote Desktop sessions - Why server sent RST packet to the client?

      Originally posted by Dumber View Post
      I don't see a response from the server while trying to use RDP.
      Is the server listening on port 3389?
      Hi Dumber,
      Thanks for your prompt reply.
      Yes, I've confirmed that by running netstat -an | find ":3389".
      Let's check packet by packet.
      1: 15:38:27.279373 1.1.1.1.2001 > 2.2.2.2.3389: S 945100646:945100646(0) win 64512 <[|tcp]>
      2: 15:38:27.280381 2.2.2.2.3389 > 1.1.1.1.2001: S 2051713410:2051713410(0) ack 945100647 win 16384 <[|tcp]>
      3: 15:38:27.280548 1.1.1.1.2001 > 2.2.2.2.3389: . ack 2051713411 win 64860
      Packet 1: User 1.1.1.1 send SYN packet to the server 2.2.2.2
      Packet 2: Server 2.2.2.2 reply by sending SYN/ACK
      Packet 3: User acknowledge the packet by sending ACK.

      All these communication happens at source port 2001 and destination port 3389.

      Comment


      • #4
        Re: Unstable Remote Desktop sessions - Why server sent RST packet to the client?

        Sure but over here the client is trying to build an TCP connection to port 3389 and the server is never responding. I've to say, it read a bit difficult this way.. I rather would see some screenshots to make it more clear

        1507: 15:41:13.642834 1.1.1.1.2002 > 2.2.2.2.3389: . ack 2704599296 win 64365
        1508: 15:41:14.267137 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155009:2294155031(22) ack 2704599296 win 64365
        1509: 15:41:14.364559 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155031:2294155069(3 ack 2704599296 win 64365
        1510: 15:41:14.474722 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155069:2294155142(73) ack 2704599296 win 64365
        1511: 15:41:14.586960 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155142:2294155215(73) ack 2704599296 win 64365
        1512: 15:41:14.698877 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155215:2294155288(73) ack 2704599296 win 64365
        1513: 15:41:14.810825 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155288:2294155361(73) ack 2704599296 win 64365
        1514: 15:41:14.845949 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155009:2294155361(352) ack 2704599296 win 64365
        1515: 15:41:14.922666 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155361:2294155385(24) ack 2704599296 win 64365
        1516: 15:41:15.018752 1.1.1.1.2002 > 2.2.2.2.3389: P 2294155385:2294155430(45) ack 2704599296 win 64365
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Unstable Remote Desktop sessions - Why server sent RST packet to the client?

          Originally posted by Dumber View Post
          Sure but over here the client is trying to build an TCP connection to port 3389 and the server is never responding. I've to say, it read a bit difficult this way.. I rather would see some screenshots to make it more clear
          Yeah, I notice that too, starting from packet 1507.
          Ok. Here is the screenshot. The connection just drop and reconnect by itself, on and on. Let me know if you need more info.

          Comment


          • #6
            Re: Unstable Remote Desktop sessions - Why server sent RST packet to the client?

            No I meant the sniffer trace
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Unstable Remote Desktop sessions - Why server sent RST packet to the client?

              If the problem started after the install of the new firewall, then that's where I would look. Also, the server may not be sending the RST, it may be the firewall as the ip address of the server is probably being NAT'ed at the firewall so you're seeing the RST coming from the NAT'ed ip address of the server but it may actually be coming from the firewall and not the server. Run a capture on the server itself and see what it looks like. If you don't see the RST on the server side but you do see the RST on the client side then that's a pretty clear indicator that the firewall is the problem.

              Comment

              Working...
              X