Thursday, January 24, 2013

Preventing Remote Desktop session timeouts due to idle tcp sessions


Identifying the issue
The easiest way to identify session resets due to idle tcp session timeouts is to perform a network capture on the client and on the Terminal Server.

If the Terminal Server capture shows a "reset" packet coming from the client, and the client capture shows a "reset" packet coming from the Terminal Server, then the "reset" came from a networking device between the two computers.

It would be worthwhile to quickly verify that the RDP session timeouts are not causing the issue via TSCONFIG.MSC (2008) or TSCC.MSC (2003).



Configuring keep-alives
It's a good idea to configure keep-alives for the Remote Desktop Protocol. A keep-alive of "1" ("send a keep alive packet every 1 minute") will make a TCP session appear to be "active" (not idle), and will prevent idle tcp session disconnects on any networking equipment between your client and your Terminal Server (F5 network load balancing devices, firewalls, routers, switches, etc).

Note there is a problem with Group Policy on Windows Server 2008 where configuring the keep alive for RDP connections is applied to a server (shows up in RSOP and in the Policy key in the Registry), but the setting does not take affect. There is a patch for this issue on 2008. I have also seen this issue on Windows Server 2003, but I have not seen a patch for 2003 (only 2008). You can work around the issue by configuring RDP session timeouts manually.
  • This change requires a reboot
  • Issue can be masked if "reconnect if connection is dropped" is set at the client. Look for many instances of users disconnecting, then immediately reconnecting to identify the issue
    • Disconnect Event ID, followed by a Reconnect Event ID about 10 seconds later for the same user name (Event IDs below)
    • The disconnect / reconnect can also be seen in the Event ID logs on a Remote Desktop Gateway server
  • TCPIP keep alive does NOT need to be configured for the RDP keep alive to work
  • The registry locations are the same for Windows Server 2003 and Windows Server 2008


Registry file for configuring keep-alive settings

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"KeepAliveEnable"=dword:00000001
"KeepAliveInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"KeepAliveTimeout"=dword:00000000
"KeepAliveEnable"=dword:00000001
"KeepAliveInterval"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
"KeepAliveInterval"=-
"KeepAliveTime"=-
"TcpMaxDataRetransmissions"=-




Configuring the keep alive for the Remote Desktop Protocol is accomplished via this value in Group Policy (Windows Server 2008)

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

Value name: Configure keep-alive connection interval

Value is in minutes



Verifying the keep-alive setting via network capture

This diagram shows what to look for in a network capture



Event ID 683 - Client disconnect (Windows Server 2003)

Event Type:    Success Audit
Event Source:    Security
Event Category:    Logon/Logoff
Event ID:    683
Date:        8/6/2009
Time:        11:01:40 AM
User:        NT AUTHORITY\SYSTEM
Computer:    (Terminal Server Name)
Description:
Session disconnected from winstation:
     User Name:    (User's Active Directory ID)
     Domain:        (User's Active Directory domain)
     Logon ID:        (0x0,0x305A36CB)
     Session Name:    RDP-Tcp#344
     Client Name:    (User's client name)
     Client Address:    (User's client IP address)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event ID 682 - Client reconnect (Windows Server 2003)

Event Type:    Success Audit
Event Source:    Security
Event Category:    Logon/Logoff
Event ID:    682
Date:        8/6/2009
Time:        11:02:23 AM
User:        NT AUTHORITY\SYSTEM
Computer:   (Terminal Server Name)
Description:
Session reconnected to winstation:
     User Name:    (User's Active Directory ID)
     Domain:        (User's Active Directory domain)
     Logon ID:        (0x0,0x305A36CB)
     Session Name:    RDP-Tcp#349
     Client Name:    (User's client name)
     Client Address:    (User's client IP address)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event ID 303 on the Remote Desktop Gateway server - Client disconnect

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          9/25/2012 3:39:19 PM
Event ID:      303
Task Category: (3)
Level:         Information
Keywords:      (16777216)
User:          NETWORK SERVICE
Computer:      (Remote Desktop Gateway Server Name)
Description:
The user "(User Domain\User Name)", on client computer "(Client Computer IP Address)", disconnected from the following network resource: "(Terminal Server Name)". Before the user disconnected, the client transferred 770068 bytes and received 68900345 bytes. The client session duration was 1055 seconds.


Event ID 300 on the Remote Desktop Gateway server - Client reconnect

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          9/25/2012 3:39:35 PM
Event ID:      300
Task Category: (5)
Level:         Information
Keywords:      Audit Success,(16777216)
User:          NETWORK SERVICE
Computer:      (Remote Desktop Gateway Server Name)
Description:
The user "(User Domain\User Name)", on client computer "(Client Computer IP Address)", met resource authorization policy requirements and was therefore authorized to connect to resource "(Terminal Server Name)".



References

Originally published: 1-24-2013