Difficulties with Remote Desktop Connection over Netscreen VPN

[BrainSurgery]

Hello guys!
I could need some fresh input on how to attack a problem I have.

I have configured a vpn connection in the firewall at my employeer, so that I can reach my office computer from home (lazy habits huh?).

Well, here is the problem:
I am trying to connect to my computer at work from home via Remote Desktop Connection (yes, it is installed with XP). My ISP delivers broadband to my home over an ordinary ethernet interface. I configured my home computer with the Netscren Remote client and tried to get it up and running. Well, I am able to:
- Connect to my employers network via VPN.
- I am able to ping my computers IP-adress.
- I am able to run a port-scan against my computer in the other end, confirming that (among others) the TCP 3389 port is open.
- I have of course enabled for remote desktop connections on my computer at work.

With this info in mind, and a vpn-connection that seem to be in order, I try to connect to my computer via remote desktop connection from home, but without succeding.

I thought it maybee could be something that was fu#"%¤ up with the router between the internet and my LAN or something, so I did some more research.

I connected my home computer to the internet from an ISDN-dialup connection, connected to my workplace via the netscreen remote client, tried to connect via remote desktop connection, and succeded in doing so.

I then asked a collegue of mine to configure his computer (at his home) to allow remote desktop connections and I tried to connect to his computer via my broadband connection (directly over the internet connection without VPN present) from home. This also succeded with no problem.

So this leaves me with a working VPN connection, remote desktop connection working (directly over the internet), remote desktop connecton working at my workplace (but only via ISDN, NOT my broadband connection).

I am running out of ideas of what the cause of this could be. Anyone have any idea? Am I supposed to configure the netscreen differently, when it should be reached from dialup users, then if it is some kind of broadband connecton or what?

Any input would be appreciated with the greatest gratitude.

:-

 

[Packet7]

Hello,

The first thing I would check are the VPN Policies on both side's of the tunnel. If you took the defaults, you should have "any"?

Once that has been done, I would connect to your Netscreen via Telnet of a console connection. Set the MTU with the following command:

set flow tcp-mss 1400
save

If you're using a NAT device or Firewall at home, I would also throttle the MTU. "Most" traffic doesn't fragment (1518 bytes), but when you throw IPSEC into the mix (extra payload), the traffic can fragment and cause connectivity issues.

Give it a try and let me know.

Rgds,

John

 

[spackle]

I've run into this many times. If the flow-tcp-mss setting on the firewall side doesn't fix it, you'll need to change your MTU on the windows end. Here's what I send to my users having the same problem:

To change your MTU:

First, get your current IP : Start > Run > cmd > ipconfig

Second, open regedit : Start > Run > regedit

Navigate to the following key:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[Adapter ID]]

Under interfaces you'll have a nice collection of long hex listings these are the adapter ID's, go through them until you find the one containing your current IP address. When you see your current IP on the right-panel:

Right-click the right-side panel

Select new DWORD

Call it MTU

Open up MTU

Select decimal, Enter 1400 for the value to start

Reboot

You can try 1350 or 1300 if you’re still having problems I've had some people needing to set it as low as 1200

Good luck!

 

[BrainSurgery]

Hello again!
And thank you both for your response. I shall admit that I did not offer the MTU setting any thoughts in this case.

It works now. I did edit the MTU setting on my NIC to 1400 ... and left the firewall out of the first step. It seems to be enough. I can create the VPN tunnel successfully and traffic seems to float as it should.

I guess you have three possible places where MTU could be a problem here: The firewall, the broadband router at home (?) and the NIC that communicates with the broadband router.

Thanx once more

 

[Packet7]

Hey,

Yes, but now your MTU has been changed for all traffic on your PC instead of just the traffic entering and/or leaving your Netscreen Firewall. You shouldn't really see a difference though, unless your using some high-end applications.

Rgds,

John