OpenVPN site-site VPN MTU issues after 2.2 upgrade
-
I have two pfsense machines at different sites which were both upgraded to 2.2 over the weekend. Generally things are great but I've noticed that the site-site OpenVPN tunnel between them seems to be suffering the symptoms of an MTU problem. The tunnel comes up, I can ping and do simple interactive SSH across it, but anything heavy like a file transfer or loading a complicated webpage doesn't work (and leads to the browser session timing out after getting the start of the content).
With no mssfix/fragment/tun-mtu options set, MTU inside the tunnel seems to be 1472 (ping -M do -s 1472 works, -s 1473 doesn't), the interface MTU shows as 1500, and running mtu-test returns:
Empirical MTU test completed [Tried,Actual] local->remote=[1556,1556] remote->local=[1556,1556]
So on the face of it, it doesn't seem to be an MTU problem, but the symptoms look like exactly that. I've tried various combinations of fragment/mssfix with values right down to 1200, with no luck. Any ideas?
-
Sounds exactly like problems I have had last few days. In my case I run a virtual machine on a esxi hypervisor, and it had a lot of weird issues with both open-vm-tools and the newest tools from vmware. Using e1000 instead of vmxnet3 solved everything for me, not the solution I wanted but works for now.
-
Run the minimum amount of TCP traffic necessary to replicate issues and packet capture it. Should see on one LAN or the other repeated retransmissions of large packets if it's an issue along those lines. With mssfix down to 1200 not having made a difference, I suspect that isn't the problem. Capture likely has clues as to what it is.
Try various ping sizes with DF set and see at what size traffic starts getting dropped.