I've had some issues lately with Samsung Galaxy devices not playing nice with my MobileIron system. When trying to setup the email account, the devices throw up a "Unable to upgrade account" error. This started a few weeks ago and affected both new or existing Samsung Galaxy devices (S4, Note, Tab, etc.)
After spending time with support from Samsung & MobileIron, it turns out there's a setting inside MobileIron that blocks unregistered devices (devices without MobileIron) from setting up an email account - 'Auto Block Unregistered (unlinked) Devices:'
By turning this setting ON, MobileIron was actually blocking the Samsung devices from connecting for their email account because they were not yet 'linked' to an account. It was being 'too' secure.
So, if you see "Unable to upgrade account" on your Samsung Galaxy device (possibly other Android device models), and you use MobileIron, you should check the 'Auto block unregistered (unlinked) devices' setting is OFF under the VSP : Sentry : Preferences.
February 6, 2014
February 5, 2014
Down-under Terminal Server connection woes 3 - or "I left my (packet) back in San Francisco"
Microsoft came back with an update after examining network traces from the client and the server. Seems the initial 'scaling' connection works fine but when a second connection is attempted, it fails with no explanation. The Wireshark trace was inconclusive so a NetMon trace was created and sent to Microsoft for analysis.
The NetMon packet trace confirmed what I already suspected, the client packets were not making it to the server (duh?). Microsoft recommends taking a workstation outside the firewall and testing. This would eliminate the firewall from the potential issues.
Sonicwall came back and recommended we change the VPN connection timeout (TCP & UDP) on the firewall. This of course, had no effect as it is not the VPN connection having the issue. The workstations in Australia can access the rest of the network fine. It's just when they try to make a second connection to the terminal server that things go south.
The idea I'm floating around right now is this may have nothing to do with the Sonicwall after all, it could be related to the gateway device at this location provided by the ISP. It has firewall capabilities and may be causing an issue with the Sonicwall.
I need a user connect to the wireless on the gateway device (thereby eliminating the firewall from the equation) and see if he is able to work correctly. This would seem to point back to the firewall being an issue - unless the wireless side of the gateway doesn't go through the same processing as the LAN side of the gateway, where the Sonicwall is.
Things are continuing to develop - unfortunately the picture isn't any clearer...
(to be continued....)
The NetMon packet trace confirmed what I already suspected, the client packets were not making it to the server (duh?). Microsoft recommends taking a workstation outside the firewall and testing. This would eliminate the firewall from the potential issues.
Sonicwall came back and recommended we change the VPN connection timeout (TCP & UDP) on the firewall. This of course, had no effect as it is not the VPN connection having the issue. The workstations in Australia can access the rest of the network fine. It's just when they try to make a second connection to the terminal server that things go south.
The idea I'm floating around right now is this may have nothing to do with the Sonicwall after all, it could be related to the gateway device at this location provided by the ISP. It has firewall capabilities and may be causing an issue with the Sonicwall.
I need a user connect to the wireless on the gateway device (thereby eliminating the firewall from the equation) and see if he is able to work correctly. This would seem to point back to the firewall being an issue - unless the wireless side of the gateway doesn't go through the same processing as the LAN side of the gateway, where the Sonicwall is.
Things are continuing to develop - unfortunately the picture isn't any clearer...
(to be continued....)
February 4, 2014
Down-under Terminal Server connection woes 2 - or "What's love (of encryption) got to do with it?"
What's in a name? What's in a service pack? Two (almost) identical questions when it comes to the world of Microsoft - for all Microsoft updates are not the same.
In my testing of the Windows 2008 R2 SP1 terminal server issue described in the previous post, it came upon me to test to a different terminal server - but one still located in the same subnet as the problematic one. This revealed something very interesting.
If I used a Windows 2008 R2 (base) terminal server, I could not re-produce the issue from the same client that I was getting with Windows 2008 R2 SP1.
So, this puts us back to a very interesting question then. What is it about the SP1 install that causes our client to only be able to connect once and only once? This was the question that I was going to have to resolve.
(to be continued again...)
In my testing of the Windows 2008 R2 SP1 terminal server issue described in the previous post, it came upon me to test to a different terminal server - but one still located in the same subnet as the problematic one. This revealed something very interesting.
If I used a Windows 2008 R2 (base) terminal server, I could not re-produce the issue from the same client that I was getting with Windows 2008 R2 SP1.
So, this puts us back to a very interesting question then. What is it about the SP1 install that causes our client to only be able to connect once and only once? This was the question that I was going to have to resolve.
(to be continued again...)
February 3, 2014
Down-under Terminal Server connection woes - or "Throw another protocol error on the Barbie!"
Recently, I've had to deal with a rather bizarre terminal server issue. At this one location, no computer could connect to a specific terminal server twice. The computers could connect fine one time. But, if the user logged off or disconnected, and then tried to connect to the terminal server again, the following error was displayed each time:
Of course, you would think 'orphaned session' or a terminal server setting, but that was not the case. No limits were set and I could see the users' sessions disconnecting just fine from the server. The first connection would work fine until the user logged off the terminal server or was disconnected. Once that happened, the user could not sign in again with the above error.
But here's the trick: If I rebooted the server or the firewall at the location, the users could connect again - but again, only once, then another reboot would be required.
So after confirming the usual suspects like DNS, AD account status, and VPN tunnels were all active and working normally, I decided the issue had to be something deeper. I found the following error in the Terminal Server's System Event Log:
The checksum errors led me down the hardware stack to the network cards, turning off the "checksum offload" at the IP & TCP levels on the virtual host & virtual server. This cleared up some of the Checksum errors in Wireshark but still the same terminal server error persisted.
I was still not convinced that the Sonicwall at the location wasn't to blame for all this. After all, we had other network issues with a business application at that same location which had still not been fixed.
Bruised and beaten, I elected to open support tickets with Sonicwall and Microsoft and begin working this issue from each end with them....
(To be continued...)
 |
| Your Remote Desktop sessions has ended. The connection to the remote computer was lost, possibly due to network connectivity problems. Try connecting to the remote computer again. If the problem continues, contact your network administrator or technical support |
Of course, you would think 'orphaned session' or a terminal server setting, but that was not the case. No limits were set and I could see the users' sessions disconnecting just fine from the server. The first connection would work fine until the user logged off the terminal server or was disconnected. Once that happened, the user could not sign in again with the above error.
But here's the trick: If I rebooted the server or the firewall at the location, the users could connect again - but again, only once, then another reboot would be required.
So after confirming the usual suspects like DNS, AD account status, and VPN tunnels were all active and working normally, I decided the issue had to be something deeper. I found the following error in the Terminal Server's System Event Log:
 |
| "Event 56, TermDD - The Terminal Server security layer detected an error in the protocol stream and has disconnected the client." |
This little Event ID led down a real rabbit-hole of blog posts, forum discussions, and random Microsoft KB articles. Let me give you some of the highlights:
- Reduce the encryption level of the terminal server to Low & use "RDP Encryption"
- Set the RDP encryption algorithm to balance network & memory usage
- Enable 'keep alive' on the terminal server
- Disable TCP Chimney Offload, Receive-Side Scaling State (RSS), and NetDMA
- Confirm RDC client version is the latest on all clients
- Use "ERR.EXE" to analyze the last word byte of the above error (B50000D0 in this case)
 |
| "Dissector bug, protocol T.124 proto.c:3478 failed assertion (guint)hfindex < gpa_hfinfo.len) unregistered hf!" |
I was still not convinced that the Sonicwall at the location wasn't to blame for all this. After all, we had other network issues with a business application at that same location which had still not been fixed.
Bruised and beaten, I elected to open support tickets with Sonicwall and Microsoft and begin working this issue from each end with them....
(To be continued...)
Subscribe to:
Posts (Atom)