Intermittent Ping issues across OpenVPN
-
I have a two sites, A and B. Computers on Site A can ping and view the web GUI of 95% of site B. However they can't even ping a couple servers at site B.
Likewise Site B is in the same boat with site A, 95% of the traffic pings and talks fine except for a few IP addresses.
All address with the issue are below .10 which stands out to me but I'm not sure if that's relevant or not.I've confirmed the firewall rules are right, both routers LAN ports and OpenVPN ports. Outside of traffic below .10 everything work.
When I do a packet capture on the LAN interface and I ping a working address it picks up the ICMP ping traffic just fine. However if I were to say ping .4, according to the packet captures it makes it to the VPN interface and than dies.
Furthermore when I ping .1 which is the LAN port on the other offices PFSense box, the computer doing the ping says it was successful, however when you do a packet capture on that port, nothing....
Any help on how to unravel this mystery would be much appreciated thank you!
-
IP addresses below .10 usually implies hosts that are statically configured. The DHCP range starts at .10 by default if you have a custom subnet.
So a any hosts that are statically configured might have a bad subnet mask set or no gateway etc.
Check on the of the failing hosts to be sure it is able to reply correctly.Steve
-
@stephenw10 Good idea but every host that can't ping or talk across the VPN can also ping and talk just fine on both it's local network as well as access the internet. Only network the servers can't talk to is across the VPN.
-
So maybe they have too large a subnet mask set and are trying to reach the remote IPs by ARPing for them when they should be using the gateway.
Check the states in the firewall when you are trying to connect for reply traffic at eitrher end. -
@stephenw10 All servers are statically assigned on the DHCP server side by their mac address. I did double check both the servers and the DHCP server to be sure. Everything is good.
x.x.101.0/24 for site A
x.x.100.0/24 for site B.I did add another Virtual interface on one of the servers and it got x.x.100.139 address. It also had the connectivity issues.
-
Ok. So the steps I would take to diagnose this are to start a failing ping and then check the states it has opened on both firewalls. If that doesn't make it obvious where the ping is failing the next step would be to run packet captures on each interface in the route and see where the pings disappear.
Steve
-
@stephenw10 I appreciate all the help.
As stated in the original post I've run packet captures, but to flesh out what I've done better than in my original post.101.0/24 = Site A
100.0/24 = Site B
50.8/29 = VPN, Site A is server sideSo if 100.4 pings 101.1, 100.4 will reports successful pings on it's command prompt and I can see the pings and their replies in a package capture on 50.9, however when I do a packet capture on 101.1 I get nothing.
When 100.4 pings 101.4 It reports failed pings. when I packet capture 50.9 I can see the pings going out but I never see any response. When I packet capture 101.1 I don't even see the requests.
Firewall wise I've got two rules that are in both the VPN and LAN rules list
101.0/24 -> 100.0/24 allow
100.0/24 -> 101.0/24 allow -
@opensourceprotection said in Intermittent Ping issues across OpenVPN:
when I do a packet capture on 101.1 I get nothing.
101.1 is the pfSense interface on that side? You wouldn't expect to see traffic leaving it in a pcap if you are pinging the interface IP itself.
@opensourceprotection said in Intermittent Ping issues across OpenVPN:
When 100.4 pings 101.4 It reports failed pings. when I packet capture 50.9 I can see the pings going out but I never see any response. When I packet capture 101.1 I don't even see the requests.
What do you actually see? Is the traffic being translated anywhere? The state table would show that. What states are opened? You should see two states on each firewall?
-
Thank you so much @stephenw10 . My boss insisted over and over and over again it was a PFSense issue, and while I was confident in the PFSense config, I, being the junior IT person I believed him. Your help got me the info I needed to convince him to look outside PFSense and wouldn't you know it, it was the windows Firewall that's his area that was the issue. The Windows firewall on the machines didn't allow ping responces outside their local subnet.
Thank you so much again @stephenw10 you rock!
