Dear all, we have a very strange problem, - we have 3 VPN endpoints - all are in one NETWORK - all daemons come up and connect without any problem and normally we have no problem working through the VPN but in some cases the connection does not work because the traffic leaves the TAP interface on one VPN endpoint but never arrives on the other end, the similarities between the packages seem to be - the packages are 1500 bytes long ( lower MTU does not solve the problem ) - the packages have no checksum 16:26:25.982932 IP (tos 0x0, ttl 127, id 19831, offset 0, flags [DF], proto TCP (6), length 1500) XXX.XXX.XXX.XXX.443 > XXX.XXX.XXX.XXX.51285: . 512:1960(1448) ack 1200 win 64163 <nop,nop,timestamp 249076008 754904913> does anyone even have a suggestion where to look, we have no further ideas how to solve that thanks in advance soeren
On Tue, Dec 22, 2009 at 05:07:10PM +0100, Soeren Malchow wrote:> we have a very strange problem, > > - we have 3 VPN endpoints > - all are in one NETWORK > - all daemons come up and connect without any problem and normally we have no problem working through the VPN > > but in some cases the connection does not work because the traffic leaves the TAP interface on one VPN endpoint but never arrives on the other end, the similarities between the packages seem to be > > - the packages are 1500 bytes long ( lower MTU does not solve the problem ) > - the packages have no checksum > 16:26:25.982932 IP (tos 0x0, ttl 127, id 19831, offset 0, flags [DF], proto TCP (6), length 1500) XXX.XXX.XXX.XXX.443 > XXX.XXX.XXX.XXX.51285: . 512:1960(1448) ack 1200 win 64163 <nop,nop,timestamp 249076008 754904913> > > does anyone even have a suggestion where to look, we have no further ideas how to solve thatDo you use Mode = switch? If so, try adding PMTUDiscovery = yes to the host config files. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20091222/c60b1b9a/attachment.pgp>
Dear Guus, just for reference, the firewall that was inbetween is an OpenBSD 4.6, and there was no difference whether we enabled or disabled scrubbing of fragmented packages, we also saw that the packages were leaving the external interface of the firewall, but they were not received by the opposite VPN endpoint which is Ubuntu ( self firewalling vpn endpoint ). Thanks again Soeren -----Original Message----- From: tinc-bounces at tinc-vpn.org [mailto:tinc-bounces at tinc-vpn.org] On Behalf Of Guus Sliepen Sent: Dienstag, 22. Dezember 2009 20:07 To: tinc at tinc-vpn.org Subject: Re: traffic not going through tunnel On Tue, Dec 22, 2009 at 07:00:11PM +0100, Soeren Malchow wrote:> no, we were using the latest vesion in Ubuntu Hardy, since it is the > current LTS version, we upgraded from the launchpad.net PPAs > > deb http://ppa.launchpad.net/dnjl/ppa/ubuntu YOUR_UBUNTU_VERSION_HERE > main deb-src http://ppa.launchpad.net/dnjl/ppa/ubuntu > YOUR_UBUNTU_VERSION_HERE main > > and i works immediately after that.Great! Older versions of tinc did not support PMTUDiscovery in switch mode, and would let UDP packets be fragmented. And unfortunately some firewalls drop fragments. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org>