I have a server, server A, with three NICs: two to the Internet via separate ADSL modems, and one to the LAN. The two ''net'' interfaces are configured as described at http://www.shorewall.net/MultiISP.html. This has been working for a number of months. I am now testing an OpenVPN link between server A and another (currently single-ISP) server (server B). I can establish the VPN and ping from each end to the other. However, after a time the pings in each direction fail. This happens after anything from two or three pings to a couple of thousand, and is seemingly a random interval, but once they fail they stay failed until some action is taken. At the same time I get "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" errors logged on server A. No errors are logged on server B. What is odd is that restarting Shorewall on server A allows the pings to succeed. I''m struggling to find a reason why this should fail after a few seconds/minutes. Shorewall is V3.0.5 on server A and V3.0.7 on server B. The Shorewall configuration files for server A are shown below. If anyone can cast any light on this, or even suggest a troubleshooting approach, I''d be very grateful. interfaces: net eth0 detect tcpflags,routefilter,nosmurfs,logmartians net eth1 detect tcpflags,routefilter,nosmurfs,logmartians loc eth2 detect tcpflags,detectnets,nosmurfs loc ppp+ vpn tun0 masq: eth0 eth2 192.168.2.1 eth1 eth2 192.168.3.1 policy: loc net ACCEPT $FW net ACCEPT $FW loc ACCEPT $FW vpn ACCEPT vpn $FW ACCEPT vpn loc ACCEPT loc vpn ACCEPT net all DROP info net net DROP all all REJECT info providers: ISP1 1 1 main eth0 192.168.2.151 track,balance eth2 ISP2 2 2 main eth1 192.168.3.151 track,balance eth2 tunnels: pptpserver net 0.0.0.0/0 openvpn net ext-addr-server-b zones: fw firewall net ipv4 loc ipv4 vpn ipv4 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I''m embarrassed to recognise myself in Tom''s mail re problem reporting. Another try:> I have a server, server A, with three NICs: two to the Internet via > separate ADSL modems, and one to the LAN. The two ''net'' interfaces are > configured as described at http://www.shorewall.net/MultiISP.html. This > has been working for a number of months. > > I am now testing an OpenVPN link between server A and another (currently > single-ISP) server (server B). I can establish the VPN and ping from > each end to the other. However, after a time the pings in each direction > fail. This happens after anything from two or three pings to a couple of > thousand, and is seemingly a random interval, but once they fail they > stay failed until some action is taken. At the same time I get "read > UDPv4 [ECONNREFUSED]: Connection refused (code=111)" errors logged on > server A. No errors are logged on server B. > > What is odd is that restarting Shorewall on server A allows the pings to > succeed.The ping from server B is to 192.168.0.50, and the ping from server A is to 192.168.4.1. I have attached the output of ''shorewall dump'' from Server A. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Wed, 2006-08-23 at 22:35 +0100, Keith Edmunds wrote:> > The ping from server B is to 192.168.0.50, and the ping from server A is > to 192.168.4.1. > > I have attached the output of ''shorewall dump'' from Server A.This doesn''t look like the normal OpenVPN/Multi-ISP problem that both Alex Wilms and I have seen before (and your symptoms seemed different too). In your case, you are loosing the tunnel -- in our cases, routing was wrong. You are going to have the second problem (the one that Alex and I have seen) once we correct your first problem. May I see the openvpn configurations on each end, please? Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On 08/23/2006 11:13:13 PM +0100 Tom Eastep <teastep@shorewall.net> said:> May I see the openvpn configurations on each end, please?Server A: dev tun ifconfig 172.16.0.1 172.16.0.2 secret test.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key route 192.168.4.0 255.255.255.0 user nobody group nogroup daemon Server B: remote 81.149.165.18 dev tun ifconfig 172.16.0.2 172.16.0.1 secret test.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key route 192.168.0.0 255.255.255.0 user nobody group nogroup daemon ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Wed, 2006-08-23 at 23:40 +0100, Keith Edmunds wrote:> On 08/23/2006 11:13:13 PM +0100 > Tom Eastep <teastep@shorewall.net> said: > > > May I see the openvpn configurations on each end, please? > > Server A: > dev tun > ifconfig 172.16.0.1 172.16.0.2 > secret test.key > comp-lzo > keepalive 10 60 > ping-timer-rem > persist-tun > persist-key > route 192.168.4.0 255.255.255.0 > user nobody > group nogroup > daemonPlease try adding ''local 192.168.?.1'' to the above where ? is either 2 or 3 depending on which address 81.149.165.18 gets forwarded to.> > > Server B: > remote 81.149.165.18 > dev tun > ifconfig 172.16.0.2 172.16.0.1 > secret test.key > comp-lzo > keepalive 10 60 > ping-timer-rem > persist-tun > persist-key > route 192.168.0.0 255.255.255.0 > user nobody > group nogroup > daemon-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On 08/23/2006 11:49:19 PM +0100 Tom Eastep <teastep@shorewall.net> said:> Please try adding ''local 192.168.?.1'' to the above where ? is either 2 > or 3 depending on which address 81.149.165.18 gets forwarded to.Tom, that fixed the problem. I am very grateful for your help: thank you. Keith ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642