Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Vsphere client though pfsense ipsec

    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    6
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • imcdonaI
      imcdona
      last edited by

      I am unable to mange a remote vmware ESXi server via the vpshere client when connecting via a PFsense IPSEC tunnel. The vshere client gets to "loading inventory" and then times out. Aside from not being able to use the vsphere client, all traffic passes over the tunnel just fine. There is single rule on the ipsec tab  that allows all traffic between the two IPSEC subnets.

      I am seeing blocked packets in the firewall log. I find this strange as I have a default allow rule in place. If I click the "easy rule" button on one of the blocked packets I get the following error "This page is meant to be called from the block/pass buttons on the Firewall Logs page, Status > System Logs, Firewall Tab. "

      The protocol/port for the blocked packets are "Port: 51989 TCP:A" and the other blocked packet has no port specified with a protocl of "TCP". Again, everything is set to allow and all other traffic passes just fine.

      I've checked the box allowing packets with IP options to pass with the same results.

      Anyone have any idea's? Better yet, has is anyone able to use the vpshere client over a pfsense ipsec tunnel?

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        You should capture traffic and analyze. Mostly it will be MTU issue i think since vsphere tries to use encryption iirc that might be problematic but without looking at the packet capture it cannot be said.

        1 Reply Last reply Reply Quote 0
        • imcdonaI
          imcdona
          last edited by

          Here is the packet capture on the IP address of the ESXi server. If I understand the rules correctly, my default allow any rule should allow any traffic, encrypted or not to pass.

          14:07:21.191369 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 7139, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.151.52588 > 10.5.5.160.443: Flags [s], cksum 0x5553 (correct), seq 3396585276, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:07:21.231779 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.5.5.160.443 > 192.168.200.151.52588: Flags [S.], cksum 0x15da (correct), seq 4070801874, ack 3396585277, win 65535, options [mss 1460,nop,wscale 1], length 0
14:07:21.232260 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7157, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52588 > 10.5.5.160.443: Flags [.], cksum 0x3f9e (correct), seq 1, ack 1, win 513, length 0
14:07:21.233292 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 151: (tos 0x0, ttl 128, id 7158, offset 0, flags [DF], proto TCP (6), length 137)
    192.168.200.151.52588 > 10.5.5.160.443: Flags [P.], cksum 0xcf1c (correct), seq 1:98, ack 1, win 513, length 97
14:07:21.276548 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 992: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 978)
    10.5.5.160.443 > 192.168.200.151.52588: Flags [P.], cksum 0x38a6 (correct), seq 1:939, ack 98, win 32850, length 938
14:07:21.281576 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 252: (tos 0x0, ttl 128, id 7178, offset 0, flags [DF], proto TCP (6), length 238)
    192.168.200.151.52588 > 10.5.5.160.443: Flags [P.], cksum 0xc111 (correct), seq 98:296, ack 939, win 509, length 198
14:07:21.325693 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 113: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 99)
    10.5.5.160.443 > 192.168.200.151.52588: Flags [P.], cksum 0x3e27 (correct), seq 939:998, ack 296, win 32850, length 59
14:07:21.346889 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 203: (tos 0x0, ttl 128, id 7208, offset 0, flags [DF], proto TCP (6), length 189)
    192.168.200.151.52588 > 10.5.5.160.443: Flags [P.], cksum 0xceb2 (correct), seq 296:445, ack 998, win 509, length 149
14:07:21.386657 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 496: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 482)
    10.5.5.160.443 > 192.168.200.151.52588: Flags [P.], cksum 0xc8d0 (correct), seq 998:1440, ack 445, win 32850, length 442
14:07:21.579578 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7209, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52588 > 10.5.5.160.443: Flags [.], cksum 0x3849 (correct), seq 445, ack 1440, win 507, length 0
14:07:27.555013 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 7340, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [s], cksum 0xe22c (correct), seq 3476370838, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:07:27.589391 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [S.], cksum 0x90fb (correct), seq 2506158285, ack 3476370839, win 65535, options [mss 1460,nop,wscale 1], length 0
14:07:27.589874 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7341, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [.], cksum 0xbabf (correct), seq 1, ack 1, win 513, length 0
14:07:27.740584 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 151: (tos 0x0, ttl 128, id 7342, offset 0, flags [DF], proto TCP (6), length 137)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0xe5f7 (correct), seq 1:98, ack 1, win 513, length 97
14:07:27.778415 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 992: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 978)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0x3d59 (correct), seq 1:939, ack 98, win 32850, length 938
14:07:27.784613 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 252: (tos 0x0, ttl 128, id 7343, offset 0, flags [DF], proto TCP (6), length 238)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0xe7b9 (correct), seq 98:296, ack 939, win 509, length 198
14:07:27.830689 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 113: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 99)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0xd85a (correct), seq 939:998, ack 296, win 32850, length 59
14:07:27.900126 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 251: (tos 0x0, ttl 128, id 7344, offset 0, flags [DF], proto TCP (6), length 237)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0xced5 (correct), seq 296:493, ack 998, win 509, length 197
14:07:27.918025 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 459: (tos 0x0, ttl 128, id 7345, offset 0, flags [DF], proto TCP (6), length 445)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x27c7 (correct), seq 493:898, ack 998, win 509, length 405
14:07:27.957172 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [.], cksum 0x35d3 (correct), seq 998, ack 898, win 32647, length 0
14:07:27.965824 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0xf785 (correct), seq 998:2096, ack 898, win 32850, length 1098
14:07:27.970928 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0x7896 (correct), seq 2096:3194, ack 898, win 32850, length 1098
14:07:27.971376 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7346, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [.], cksum 0xaac5 (correct), seq 898, ack 3194, win 513, length 0
14:07:27.978453 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 208: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 194)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0xf3d4 (correct), seq 3194:3348, ack 898, win 32850, length 154
14:07:28.172894 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7352, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [.], cksum 0xaa2c (correct), seq 898, ack 3348, win 512, length 0
14:07:28.735951 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 7369, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.151.52603 > 10.5.5.160.443: Flags [s], cksum 0xe5d7 (correct), seq 758633445, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:07:28.769461 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.5.5.160.443 > 192.168.200.151.52603: Flags [S.], cksum 0x50d0 (correct), seq 1447850936, ack 758633446, win 65535, options [mss 1460,nop,wscale 1], length 0
14:07:28.769782 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7372, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52603 > 10.5.5.160.443: Flags [.], cksum 0x7a94 (correct), seq 1, ack 1, win 513, length 0
14:07:28.771149 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 151: (tos 0x0, ttl 128, id 7373, offset 0, flags [DF], proto TCP (6), length 137)
    192.168.200.151.52603 > 10.5.5.160.443: Flags [P.], cksum 0xe950 (correct), seq 1:98, ack 1, win 513, length 97
14:07:28.811449 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 992: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 978)
    10.5.5.160.443 > 192.168.200.151.52603: Flags [P.], cksum 0x65f8 (correct), seq 1:939, ack 98, win 32850, length 938
14:07:28.813078 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 252: (tos 0x0, ttl 128, id 7375, offset 0, flags [DF], proto TCP (6), length 238)
    192.168.200.151.52603 > 10.5.5.160.443: Flags [P.], cksum 0xbf07 (correct), seq 98:296, ack 939, win 509, length 198
14:07:28.863754 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 113: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 99)
    10.5.5.160.443 > 192.168.200.151.52603: Flags [P.], cksum 0xd6fe (correct), seq 939:998, ack 296, win 32850, length 59
14:07:28.875325 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 139: (tos 0x0, ttl 128, id 7376, offset 0, flags [DF], proto TCP (6), length 125)
    192.168.200.151.52603 > 10.5.5.160.443: Flags [P.], cksum 0xed16 (correct), seq 296:381, ack 998, win 509, length 85
14:07:28.915174 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 496: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 482)
    10.5.5.160.443 > 192.168.200.151.52603: Flags [P.], cksum 0xec9f (correct), seq 998:1440, ack 381, win 32850, length 442
14:07:28.961857 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7382, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x6e2d (correct), seq 898:1143, ack 3348, win 512, length 245
14:07:28.962059 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 507: (tos 0x0, ttl 128, id 7383, offset 0, flags [DF], proto TCP (6), length 493)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x1e85 (correct), seq 1143:1596, ack 3348, win 512, length 453
14:07:29.000039 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [.], cksum 0x2a03 (correct), seq 3348, ack 1596, win 32623, length 0
14:07:29.024213 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 944: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 930)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0x913f (correct), seq 3348:4238, ack 1596, win 32850, length 890
14:07:29.110436 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7389, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52603 > 10.5.5.160.443: Flags [.], cksum 0x737f (correct), seq 381, ack 1440, win 507, length 0
14:07:29.125010 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7390, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x999f (correct), seq 1596:1841, ack 4238, win 509, length 245
14:07:29.125169 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 651: (tos 0x0, ttl 128, id 7391, offset 0, flags [DF], proto TCP (6), length 637)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0xe9f3 (correct), seq 1841:2438, ack 4238, win 509, length 597
14:07:29.171273 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [.], cksum 0x2387 (correct), seq 4238, ack 2438, win 32551, length 0
14:07:29.177377 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 784: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 770)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0x8f47 (correct), seq 4238:4968, ack 2438, win 32850, length 730
14:07:29.213644 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7399, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x2eaa (correct), seq 2438:2683, ack 4968, win 513, length 245
14:07:29.213814 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 667: (tos 0x0, ttl 128, id 7400, offset 0, flags [DF], proto TCP (6), length 653)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x2a18 (correct), seq 2683:3296, ack 4968, win 513, length 613
14:07:29.214763 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 7401, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [s], cksum 0x00d2 (correct), seq 1957327221, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:07:29.216689 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 7402, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [s], cksum 0x2c73 (correct), seq 2593464296, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:07:29.253557 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [.], cksum 0x1d5b (correct), seq 4968, ack 3296, win 32543, length 0
14:07:29.259669 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [S.], cksum 0x7229 (correct), seq 2398762155, ack 1957327222, win 65535, options [mss 1460,nop,wscale 1], length 0
14:07:29.259770 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 48)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [S.], cksum 0x7d39 (correct), seq 3149932662, ack 2593464297, win 65535, options [mss 1460,nop,wscale 1], length 0
14:07:29.260044 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7403, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [.], cksum 0x9bed (correct), seq 1, ack 1, win 513, length 0
14:07:29.260177 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7404, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [.], cksum 0xa6fd (correct), seq 1, ack 1, win 513, length 0
14:07:29.263565 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 151: (tos 0x0, ttl 128, id 7405, offset 0, flags [DF], proto TCP (6), length 137)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [P.], cksum 0xdb25 (correct), seq 1:98, ack 1, win 513, length 97
14:07:29.263884 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 151: (tos 0x0, ttl 128, id 7406, offset 0, flags [DF], proto TCP (6), length 137)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0x4e1f (correct), seq 1:98, ack 1, win 513, length 97
14:07:29.265795 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 784: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 770)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0xab24 (correct), seq 4968:5698, ack 3296, win 32850, length 730
14:07:29.310291 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 992: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 978)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [P.], cksum 0x0fba (correct), seq 1:939, ack 98, win 32850, length 938
14:07:29.322325 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 252: (tos 0x0, ttl 128, id 7414, offset 0, flags [DF], proto TCP (6), length 238)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [P.], cksum 0x9bd2 (correct), seq 98:296, ack 939, win 509, length 198
14:07:29.325915 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 992: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 978)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [P.], cksum 0xde88 (correct), seq 1:939, ack 98, win 32850, length 938
14:07:29.329485 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 252: (tos 0x0, ttl 128, id 7427, offset 0, flags [DF], proto TCP (6), length 238)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0x6522 (correct), seq 98:296, ack 939, win 509, length 198
14:07:29.370848 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 113: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 99)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [P.], cksum 0xf241 (correct), seq 939:998, ack 296, win 32850, length 59
14:07:29.373045 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7428, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [P.], cksum 0xea39 (correct), seq 296:541, ack 998, win 509, length 245
14:07:29.373380 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 459: (tos 0x0, ttl 128, id 7429, offset 0, flags [DF], proto TCP (6), length 445)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [P.], cksum 0x1cf0 (correct), seq 541:946, ack 998, win 509, length 405
14:07:29.381531 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 113: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 99)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [P.], cksum 0x252a (correct), seq 939:998, ack 296, win 32850, length 59
14:07:29.383486 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7430, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0x8917 (correct), seq 296:541, ack 998, win 509, length 245
14:07:29.383657 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 459: (tos 0x0, ttl 128, id 7431, offset 0, flags [DF], proto TCP (6), length 445)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0xc2ed (correct), seq 541:946, ack 998, win 509, length 405
14:07:29.415379 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [.], cksum 0x16d1 (correct), seq 998, ack 946, win 32647, length 0
14:07:29.421791 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [.], cksum 0x21e1 (correct), seq 998, ack 946, win 32647, length 0
14:07:29.426715 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [P.], cksum 0xdf92 (correct), seq 998:2096, ack 946, win 32850, length 1098
14:07:29.427579 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [P.], cksum 0xdde3 (correct), seq 2096:3194, ack 946, win 32850, length 1098
14:07:29.427998 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7432, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [.], cksum 0x8bc3 (correct), seq 946, ack 3194, win 513, length 0
14:07:29.432809 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [P.], cksum 0xd143 (correct), seq 3194:4292, ack 946, win 32850, length 1098
14:07:29.433206 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1120: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1106)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [P.], cksum 0x549d (correct), seq 998:2064, ack 946, win 32850, length 1066
14:07:29.438768 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [P.], cksum 0xfc7e (correct), seq 4292:5390, ack 946, win 32850, length 1098
14:07:29.439131 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7433, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [.], cksum 0x832f (correct), seq 946, ack 5390, win 513, length 0
14:07:29.439274 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [P.], cksum 0x0d35 (correct), seq 5390:6488, ack 946, win 32850, length 1098
14:07:29.454160 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7434, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [.], cksum 0x97a2 (correct), seq 3296, ack 5698, win 510, length 0
14:07:29.480511 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 332: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 318)
    10.5.5.160.443 > 192.168.200.151.52606: Flags [P.], cksum 0x7b57 (correct), seq 10868:11146, ack 946, win 32850, length 278
14:07:29.481524 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7435, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52606 > 10.5.5.160.443: Flags [.], cksum 0x7eea (correct), seq 946, ack 6488, win 508, length 0
14:07:29.491057 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7436, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x85df (correct), seq 3296:3541, ack 5698, win 510, length 245
14:07:29.491363 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 443: (tos 0x0, ttl 128, id 7437, offset 0, flags [DF], proto TCP (6), length 429)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0xfd06 (correct), seq 3541:3930, ack 5698, win 510, length 389
14:07:29.530841 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [.], cksum 0x1797 (correct), seq 5698, ack 3930, win 32655, length 0
14:07:29.532448 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7438, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0x54e4 (correct), seq 946:1191, ack 2064, win 513, length 245
14:07:29.532604 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 923: (tos 0x0, ttl 128, id 7439, offset 0, flags [DF], proto TCP (6), length 909)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0xb70d (correct), seq 1191:2060, ack 2064, win 513, length 869
14:07:29.535242 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 704: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 690)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0xdc8e (correct), seq 5698:6348, ack 3930, win 32850, length 650
14:07:29.544724 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7440, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x72f5 (correct), seq 3930:4175, ack 6348, win 507, length 245
14:07:29.544894 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 667: (tos 0x0, ttl 128, id 7441, offset 0, flags [DF], proto TCP (6), length 653)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [P.], cksum 0x3001 (correct), seq 4175:4788, ack 6348, win 507, length 613
14:07:29.573649 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [.], cksum 0x1a45 (correct), seq 2064, ack 2060, win 32415, length 0
14:07:29.578139 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 784: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 770)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [P.], cksum 0x32b1 (correct), seq 2064:2794, ack 2060, win 32850, length 730
14:07:29.583467 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7442, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0x7c2b (correct), seq 2060:2305, ack 2794, win 510, length 245
14:07:29.583628 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 443: (tos 0x0, ttl 128, id 7443, offset 0, flags [DF], proto TCP (6), length 429)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0x60a6 (correct), seq 2305:2694, ack 2794, win 510, length 389
14:07:29.585684 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [.], cksum 0x1223 (correct), seq 6348, ack 4788, win 32543, length 0
14:07:29.628632 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [.], cksum 0x1401 (correct), seq 2794, ack 2694, win 32655, length 0
14:07:29.650358 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 800: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 786)
    10.5.5.160.443 > 192.168.200.151.52607: Flags [P.], cksum 0x5e19 (correct), seq 2794:3540, ack 2694, win 32850, length 746
14:07:29.670664 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 128, id 7444, offset 0, flags [DF], proto TCP (6), length 285)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0xf377 (correct), seq 2694:2939, ack 3540, win 513, length 245
14:07:29.670875 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 651: (tos 0x0, ttl 128, id 7445, offset 0, flags [DF], proto TCP (6), length 637)
    192.168.200.151.52607 > 10.5.5.160.443: Flags [P.], cksum 0x88a9 (correct), seq 2939:3536, ack 3540, win 513, length 597
14:07:29.688094 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0xb76b (correct), seq 6348:7446, ack 4788, win 32850, length 1098
14:07:29.692810 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0xf1c0 (correct), seq 7446:8544, ack 4788, win 32850, length 1098
14:07:29.693162 00:0c:29:bf:48:47 > 00:0c:29:e0:cf:34, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 7446, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.200.151.52599 > 10.5.5.160.443: Flags [.], cksum 0x86ad (correct), seq 4788, ack 8544, win 513, length 0
14:07:29.693301 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0xcb61 (correct), seq 8544:9642, ack 4788, win 32850, length 1098
14:07:29.698775 00:0c:29:e0:cf:34 > 00:0c:29:bf:48:47, ethertype IPv4 (0x0800), length 1152: (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 1138)
    10.5.5.160.443 > 192.168.200.151.52599: Flags [P.], cksum 0x3c98 (correct), seq 9642:10740, ack 4788, win 32850, length 1098
						[/s][/s][/s][/s][/s]
          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            All this packets have don't fragment flag set so that might cause the problem.

            1 Reply Last reply Reply Quote 0
            • imcdonaI
              imcdona
              last edited by

              Thanks. This gives me something to go on. I'll see what I can find and let you know.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You could try enabling MSS clamping on the VPN. System > Advanced, Misc tab, adjust it down a bit more, maybe 1400. You could also try checking the box to clear invalid DF bits on the Firewall/NAT tab under the Advanced options as well.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.