BIG-IP v13 native RDP - VDI connection failure

We have a problem where the user clicks on a link in a webtop which is a native RDP link, their application opens but the connection fails. Tcpdumps show for failed connections client traffic arrives at the F5 but never leaves it. For successful connections they stay up for a long time. We cannot see why they are failing when the backend resource is available and accessible.

VDI debug logs ~ https://gist.github.com/rtfmoz/58d82b0887146ea3a2310eb32fea1428

The failed connections just sit there until they time out with the error

"Your computer cannot connect to the Remote Desktop Gateway server. 
Contact your network administrator for assistance."

APM

application delivery

vdi

Kevin_Davies_40
Oct 09, 2017
Summary

Native RDP connections that use SSO variables fail to work reliably.
Version

BIG-IP 13.0.0 HF2
Symptoms

RDP connections intermittently fail to connect. The following message appears when you try to connect to the RDP session.
"Your computer cannot connect to the Remote Desktop Gateway server. Contact your network administrator for assistance."

This occurs under the following conditions

The virtual servers listens on a specific VLAN.

Workaround

Choose one of the following options:
Option 1: Enabled the virtual server to listen on all VLANS.
Option 2: Disable CMP on the virtual server - see K14358
Option 3: Virtual Edition only, set vCPU to one.
Solution

Hotfix to address this issue.

14 Replies

Kevin_Davies_40
Nacreous
Oct 03, 2017
The same native RDP connection can fail, then work, then fail to connect.
Stanislas_Piro2
Cumulonimbus
Oct 03, 2017
Hi Kevin,

On my configuration, Native RDP fails when I configure SSO. it work like a charm without this configuration.
SM_219936
Nimbostratus
Oct 03, 2017
Have you applied the default certificate on VS?
- Kevin_Davies_40
  Nacreous
  Oct 03, 2017
  No, using a valid SSL certificate. For everyone elses knowledge ... a valid SSL cert is required by native RDP for the MSRDP client to trust the RDP file. This is because APM signs the RDP file with the SSL private key of the virtual server.
smouzakis
Nimbostratus
Oct 03, 2017
Have you applied the default certificate on VS?
- Kevin_Davies_40
  Nacreous
  Oct 03, 2017
  No, using a valid SSL certificate. For everyone elses knowledge ... a valid SSL cert is required by native RDP for the MSRDP client to trust the RDP file. This is because APM signs the RDP file with the SSL private key of the virtual server.
Kevin_Davies_40
Nacreous
Oct 04, 2017
** Updated Answer Above **
- Kevin_Davies_40
  Nacreous
  Oct 05, 2017
  I am testing the cmp disable with vCPU=2 tomorrow as I am not certain demoting a virtual server to tmm0 will disable threaded execution across tmm0.1/0.2/...
- Kevin_Davies_40
  Nacreous
  Oct 06, 2017
  Disabling CMP is a successful workaround. We went back to vCPU = 2 and disabled CMP on the virtual server and all our RDPw/SSO connections are still working.
- Kevin_Davies_40
  Nacreous
  Oct 09, 2017
  F5 have come back to us on this issue. Enable the virtual on all VLAN's. Updated solution posted.
Kevin_Davies_40
Nacreous
Oct 09, 2017
Summary

Native RDP connections that use SSO variables fail to work reliably.
Version

BIG-IP 13.0.0 HF2
Symptoms

RDP connections intermittently fail to connect. The following message appears when you try to connect to the RDP session.
"Your computer cannot connect to the Remote Desktop Gateway server. Contact your network administrator for assistance."

This occurs under the following conditions

The virtual servers listens on a specific VLAN.

Workaround

Choose one of the following options:
Option 1: Enabled the virtual server to listen on all VLANS.
Option 2: Disable CMP on the virtual server - see K14358
Option 3: Virtual Edition only, set vCPU to one.
Solution

Hotfix to address this issue.
- Stanislas_Piro2
  Cumulonimbus
  Oct 09, 2017
  Hi,
  
  Thank you for the update.
  
  Even if the last workaround is better than previous, in some circumstances, one of previous can help.
  
  I suggest to add in workaround section previous ones (disable sso, disable cmp on VS)
- Kevin_Davies_40
  Nacreous
  Oct 09, 2017
  Updated to reflect alternative workarounds.
leonline_225556
Altostratus
Jun 07, 2018
I am still having this issue running 13.1.0.2, in my situation the vs is running in a non-default route domain.

F5 confirmed we are dealing with bug ID 623036 - Native RDP proxy does not work if Virtual Server is in non-default route domain and CMP enabled. This bug is linked to bug ID6 17929 Support non-default route domains when connecting to other tmm over backplane.

Unfortunately no fix is available yet.

Forum Discussion

BIG-IP v13 native RDP - VDI connection failure

14 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Quick Optimizations for F5 BIG-IP Virtual Edition

Getting Started with BIG-IP Next: Upgrading Central Manager

Deploying F5 BIG-IP with Azure Cross-region load balancer

3 Ways to Connect BIG-IP to Istio