I am trying to connect to a Load Balanced Windows 2008 R2 cluster using Remote Desktop Services. I have no trouble connecting to the the Servers' IP addresses (.253.16 and .253.17) or the Cluster address (.253.20) from inside the subnet (.253).
The trouble is when I try to connect from the other subnet(.251). I can remote to the other non-clustered servers (.253.12 and .253.15) inside the .253 subnet from the .251 without an issue. I receive a ping reply from the cluster and other servers when I am on the .251 subnet. But when I try to connect via remote desktop it times out but only to any of the IPs on the cluster (.20,.17,.16).
My ASA 5510 handling the routing reports message in the log: Deny TCP (no connection) from 192.168.251.2/4283 to 192.168.253.16/3389 flag FIN PSH ACK
Update: It does appear that If I have one host down it works.
The error message you're describing shows the ASA's stateful packet inspection at play. The "no connection" means just that: the ASA doesn't have an entry in its connection table for a TCP connection between 192.168.251.2:4283 and 192.168.253.16:3389.
I would set up a capture as follows:
where LAN251 is the interface connected to the 192.168.251.0/24 network and LAN253 is the interface connected to the 192.168.253.0/24 network.
Then try connecting via RDP and see what's in the captures.
My bet is that you'll find that when you're trying to connect to one of the IPs (you'll see a SYN packet sent from a random port >1024 on 192.168.251.2 to port 3389 on 192.168.253.16/17/20), you'll see the response (SYN-ACK) come back from a different IP address, and the firewall will receive that SYN-ACK packet but will not forward it on to your RDP client.
If this is the case, the solution is not on the ASA. You need to figure out how to set up whatever clustering or load-balancing platform you're using to work correctly with RDP.
If this is not the case, please paste the captures so the community can analyze them.
Take a look at the firewall setting on the Clustered Terminal Servers. They probably have allow set for the local subnet only. You just need to modify those rules, or add new rules to allow connections on port 3389 (port 443 for a TS Gateway) from the other subnet.
If that doesn't work, going out on a limb on this one, but it might be that your ASA doesn't have a rule to allow traffic from the .251 subnet to the culster IPs. Try telnetting into the ASA and running
sh run | gr access-
and look for lines with text similar to "permit ip x.y.251.0 255.255.255.0 x.y.253.0 255.255.255.240"
Such a line would allow access to only the first several IPs in the .253 subnet.