NeuroAgent

VPN Connection Drops When Using RDP

Fix for SSTP VPN tunnel disconnection when connecting via RDP. Configure MTU, routing, and firewall settings for stable remote access.

#mtu-configuration#remote-access#sstp-configuration#vpn-firewall#vpn-rdp-issues#vpn-routing
Question

VPN tunnel disconnects when connecting via RDP

Hello! I have set up a server at home to create a VPN tunnel to the office, running Windows with etherVPN. I’ve created an SSTP tunnel, and the connection establishes successfully. However, as soon as I start an RDP connection to a work computer, the connection drops. When reconnecting, everything works correctly. Static routing for the tunnel is already configured. Could you please advise on what direction to look for a solution to this problem? Additional info: lowering the encryption level didn’t help solve the issue.

NeuroAgent

SSTP Tunnel Disconnects When Connecting RDP Due to Conflicts Between VPN and Remote Desktop TCP Connections, Often Related to MTU Issues, Firewall Settings, or Routing Conflicts. The Main Causes Include Packet Fragmentation Due to Incorrectly Set MTU, Firewall Inactivity Timeouts, or Routing Conflicts When RDP Tries to Use a Direct Route Instead of the VPN Tunnel.

Table of Contents

Main Causes of Disconnection

The problem of SSTP tunnel disconnection when starting RDP connection is quite common and usually related to several main factors:

  1. TCP Connection Conflicts - SSTP uses the TCP protocol, making it sensitive to connection breaks. Once intensive RDP traffic begins (which also uses TCP), conflicts can occur that lead to tunnel disconnection.

  2. MTU (Maximum Transmission Unit) Problems - Incorrect MTU size for the VPN adapter causes packet fragmentation, leading to connection disconnections when transferring large amounts of data typical for RDP.

  3. Routing Conflicts - When starting RDP, the system may try to use a direct route instead of the VPN tunnel, causing conflicts and breaks.

  4. Firewall Timeouts - Many corporate firewalls set VPN connection inactivity timeouts, and intensive RDP traffic may be perceived as inactivity.

MTU Configuration for VPN Adapter

One of the most common causes of connection disconnections is incorrect MTU size for the VPN adapter. For SSTP tunnel, an MTU size of 1418 bytes is recommended instead of the standard 1500 bytes.

Step-by-step MTU configuration:

  1. Determine the VPN adapter index:

    cmd
    netsh interface show interface

  2. Set the correct MTU:

    cmd
    netsh interface ipv4 set subinterface <Adapter_Index> mtu=1418 store=persistent

  3. Restart the VPN adapter:

    cmd
    netsh interface set interface "<Adapter_Name>" disable
netsh interface set interface "<Adapter_Name>" enable

Important: According to Microsoft research, the correct MTU size for VPN tunnels significantly improves connection stability, especially when working with RDP.

Routing Solutions

Routing conflicts are a common cause of connection disconnections when using both VPN and RDP simultaneously.

Routing policy configuration:

  1. Check current routing:

    cmd
    route print

  2. Add a forced route for RDP through VPN:

    cmd
    route add <Workstation_IP> mask <Subnet_Mask> <VPN_Gateway> -p

  3. Configure route priorities:
    Ensure that routes through VPN have higher priority than direct routes.

  4. Use parameter in RDP:
    In RDP connection settings, add the /proxy:<VPN_IP> parameter to force tunnel usage.

Firewall Configuration and Timeouts

Most corporate firewalls have VPN connection timeout settings that can cause disconnections during intensive traffic.

Firewall parameters:

  1. Increase inactivity timeout:

    • Set VPN inactivity timeout to 30-60 minutes instead of standard 5-15 minutes
    • Allow persistent TCP sessions for VPN traffic

  2. Configure keep-alive packets:

    cmd
    ping <VPN_Gateway> -t

    Start a continuous ping to maintain the connection

  3. Check SSL offload settings:
    As noted in Richard Hicks Consulting research, SSL offload on load balancers often causes SSTP connection breaks.

Certificate and Encryption Verification

Certificate and encryption algorithm issues can also cause connection disconnections.

Certificate verification:

  1. Check encryption algorithms:

    cmd
    cipher /?

    Ensure modern algorithms are used (SHA-256 instead of SHA-1)

  2. Verify server certificate:

    cmd
    certutil -verify -v <certificate_path>

  3. Check algorithm compatibility:
    As mentioned in the discussion on ServerFault, the problem often occurs with SHA-1 and SHA-256 algorithm incompatibility.

Practical Troubleshooting Steps

To effectively solve the problem, it is recommended to perform the following steps:

Diagnostic sequence:

  1. Check network activity:

    cmd
    ping -f -l 1472 <target>

    This test will help determine the optimal MTU size

  2. Use Wireshark for analysis:

    • Capture traffic during RDP connection
    • Look for packets with TCP RST or FIN flags
    • Check packet fragmentation

  3. Check event logs:

    cmd
    wevtutil qe System /c:10 /rd:true /f:text | findstr "VPN|RDP"

  4. Test with different protocols:
    Try using IKEv2 instead of SSTP, as IKEv2 uses UDP and is more resistant to connection breaks.

  5. Check etherVPN settings:

    • Ensure static routing is configured correctly
    • Check DNS settings for VPN connection
    • Try disabling split tunneling for testing

Sources

  1. Richard Hicks Consulting - Always On VPN SSTP Connects then Disconnects
  2. Microsoft Q&A - Windows 10/11 VPN From RDP Session Kills Remote Desktop
  3. Server Fault - SSTP client disconnects shortly after successfully connected to VPN
  4. Experts Exchange - RDP over VPN disconnects constantly
  5. Reddit - RDP disconnects every 5min-1hour over VPN
  6. Microsoft Support - FIX: The VPN connection disconnects immediately when a Unified Access Gateway 2010 client uses SSTP

Conclusion

To solve the problem of SSTP tunnel disconnection when connecting RDP, several key parameters need to be checked and configured sequentially:

  1. Set VPN adapter MTU to 1418 bytes - this solves most packet fragmentation problems
  2. Check and fix routing - ensure RDP traffic goes through the VPN tunnel
  3. Configure firewall timeouts - increase VPN connection inactivity time
  4. Check certificates and encryption algorithms - use modern security standards
  5. Consider switching to IKEv2 - this protocol is more resistant to connection breaks

Start with MTU configuration and routing verification, as these solutions solve most similar problems. If the problem persists, use Wireshark for deep network traffic analysis and to determine the exact cause of connection disconnections.

How to configure MTU for VPN adapter in Windows for stable RDP connection?Why does VPN connection drop during intensive RDP traffic and how to fix it?How to check and configure routing for VPN and RDP connections in Windows?Which VPN protocol is better for RDP connections: SSTP or IKEv2?How to configure firewall timeouts to prevent VPN connection drops?What certificates are needed for SSTP VPN connection and how to check their compatibility?
Ask NeuroAgent