Missing packets

corradolab

Hi everybody,

I've a dozen sites connected in hub and spoke configuration via IPSEC.
All sites use pfSense with no issues.
Suddenly I started to experience connection issues to one site.

To test it, I executed a packet capture on both firewalls on IPSEC port, while accessing a network share on spoke site from the hub site.

The hub side capture above shows you host 192.168.126.210 (hub site) starting a SMB connection (SMB Negotiate Protocol Request) to host 192.168.148.10 (spoke site).
The Session Setup Request message get split in 3 packets (1512 + 1512 + 313 Bytes) but only the last packet appears on the other side as you can see below.

Also in the first capture you can see hub site retransmit the packet 5 times, but, again they never appear in spoke site.

Capture files: hub.cap spoke.cap

The first thing I can see is the missing packets are the bigger ones (1512 Bytes).
The second one is reversing the test (accessing a share on hub site from spoke site) works flawlessly.

What is going on?

Regards,
Corrado

Derelict

Something probably changed in the path MTU between the two sites. Try setting MSS Clamping to something like 1350 on both sides VPN > IPsec, Advanced Settings

Note how the 192.168.148.10 site is reporting an 8960 MSS value. Someone playing with jumbo frames and screwed the pooch there?