For some reason, when I set up a RB450 as a router/firewall, RDP and VNC sessions freeze. I can close the connection and reestablish it without any problems. It almost seems graphics related, since often I the connection will stay alive until I start moving the mouse around, or scrolling a browser up and down. I have had this problem with two different RB450 boards now. I have tried to modify the config as it comes and blank it out, but either way the problem persist. I submitted a ticket to MT a while back on this, but no one had a recommended solution. Is there a rule I can add to the firewall that will help correct this?? I am at a loss what I can do to overcome this. Putting my Pfsense firewall back in fixes the problem, so I am confident it is strictly MT related.
While using RDP or VNC - ping both involved PCs. If nothing to see there - look at the CPU usage.
What hardware do you use? Internet connection? Queues?
I have narrowed this down to an issue between my 450g and the Cisco ASA unit at the head of our WAN. Pings never drop off, but all RDP type traffic freezes soon after connecting and has to be terminated in order to start a new session. This is what I know:
RDP from my home office to my work office does not work (450g > WAN ASA > Work Office 450g).
RDP from my home office to my church, with a second RDP session to my work Office does work. Both the original connection to the church and secondary connection to my office are stable this way. (Home 450G > church IPCop > WAN ASA> Work Office 450g)
Does this require some sort of fixup protocol line in the WAN ASA, or can something be changed on the 450g.
This problem held true, using two different 450G boxes, and using IPCop for my work office firewall before installing the 450G in its place.
There is no protocol inspection (that is what PIXes called fixups) for RDP on ASAs as there are no embedded values to tweak or inspect.
RDP can be sensitive to MSS and MTU. If the path from A to B influences that differently than the path from A to C to B that would explain all your symptoms. http://wiki.mikrotik.com/wiki/Manual:RouterOS_FAQ#TCP.2FIP_Related_Questions
The FAQ above has the answer to the same problem over PPPoE links (last question in the linked section). Try that fix, and adjust the MSS down to something like 1366 bytes and see if it starts working. You can then slowly increase the value until it stops working and go back to the last working value, or leave it at something as low as 1366. If it’s only a problem connecting to the office you can also add more qualifiers to the rule and only adjust the MSS when going to those specific destination IPs.
fewi is right,
these symptoms are related to MTU, previously I had experience with RDP and VNC both were freezing, after the MSS and IP Fragmentation were put in place the problem was solved.
Can someone post the exact command needed. I did what I thought was correct, based on the info provided, but am still having a problem staying connected.
A weird twist. I have been doing all my testing after I adjusted the MSS from a Linux laptop. The connection freezes within a couple minutes and has to be broken to create a new one. However, My Windows 7 laptop sitting right next to the Linux laptop connects just fine to the same workstation, without any freezes. The Linux laptop does still stay connected just fine when connecting to my church, but not my work office. What does that seem to point to ?
Looks like I have to disregard my previous posts. Windows just does a better job of reconnecting broken connections than Linux Rdesktop does. The problem continues and actually crops up when using ssh. It seems anything that requires a sustained connection when going through the cisco ASA will eventually drop, but it only happens when using the Mikrotik box for a firewall. This has been the case with two different boxes now. I have zero problems when using rdesktop or ssh to a location inside our WAN. It is only when traversing the ASA.
I can have two ssh connections up, to the same location, from the same PC and will not lose either one until I start entering or copying text. The connection I am working on at that time will drop, but the other one will stay up.
Here is the rule I added to my firewall that was recommended: