Openvpn error routing

stephenw10

Do you see packet loss on the WAN at either site or only across the VPN?

Steve

PedroBelliato

@stephenw10 said in Openvpn error routing:

Do you see packet loss on the WAN at either site or only across the VPN?
Steve

Only from the VPN, I am monitoring and there is loss of 1 to 2 simultaneous packages from Site A to Site B, but on the contrary does not occur.
The application is in site A and the hosts of site B access directly and when this intermittence occurs the system loses communication (although site B does not lose packets plus the application loses communication).

stephenw10

If the packet loss only appears when pinging in one direction that implies something asymmetric. And probably some firewall rule or similar as the pings themselves obviously have to travel both ways whichever end is pinging.

Do you have multiple gateways at either end? Any gateway failover events logged?
That is something that would behave differently depending on which end opened the ping state.

Steve

PedroBelliato

@stephenw10 said in Openvpn error routing:

If the packet loss only appears when pinging in one direction that implies something asymmetric. And probably some firewall rule or similar as the pings themselves obviously have to travel both ways whichever end is pinging.
Do you have multiple gateways at either end? Any gateway failover events logged?
That is something that would behave differently depending on which end opened the ping state.
Steve

Thanks for the help, so in the site I have 2 links but the connections generated for vpn are being forced by a single link, in site B only 1 link.

Note (Site B is receiving temporary random IP Link, this could be interfering with packet loss)

PedroBelliato

Route site A
0_1550448691102_4919432b-c378-4140-bdbe-ae92bd411361-image.png

Site B
0_1550448475218_74a0fe0d-d79e-4907-8129-131bdb01e6cb-image.png

stephenw10

So it's not pfSense at both ends? Which way is seeing the packet loss?

What version of pfSense are you running? That looks like 2.3.X?

Steve

PedroBelliato

Site A is an Aker 6.8 appliance, packet loss occurs from site A to site B Pfsense 2.3.5

stephenw10

Ok so either there really is packet loss in the route which is not on either WAN. But I would still expect that to affect pings both ways.
Or one of the firewalls is not correctly handling traffic when it's initiated from the other side.

It should be possible to see what's happening in a packet capture on the openvpn interface.
Run a ping from site A and see some packet loss. Check the pcap to see if that loss is seen at siteB in the openvpn or if it's being lost on the replies. If it is run a pcap at site A if you can so see if all the packets are arriving there.

Steve

trazom

hi,
how can i see firewall rules on the server from a client machine?
thanks

stephenw10

Assuming you have rules to allow it, login to the sever gui and check the OpenVPN tab in the firewall rules. Or the assigned interface tab if you have assigned the OpenVPN server as an interface.

Steve