Cant route network through VPN without reboot

  • I have been noticing something when moving around my VPN connections which makes me think there is a table that needs to be manually flushed after reconfiguring things. I am wondering if anyone else has the same issue? I have several VPN connections that I am trying to migrate to a different ISP/Interface. If I create a new OpenVPN connection on the new interface and specify my remote network in the new connection (removing it from the old connection) I can connect just fine but when I try to ping from any of the client IP's on the remote firewall (including the LAN interface) I can see the traffic going into the tunnel but I dont see it in the packet captures coming out the other side.

    I also will see some of these messages in my logs "bad source address from client [x.x.x.x], packet dropped."  If I look at my routes I have a route for the ip address mentioned in the packet dropped message and it points to the appropriate vpn interface. If I ping from the OpenVPN interface (which uses the openvpn virtual IP's) I see everything working as expected.

    Now, if I keep working on this for several hours, everything just starts working OR if I reboot my main firewall everything starts working. I am assuming this is some sort of nat/route/filter table that is being rebuilt periodically but I am not sure what to look for and I need to make sure it is something I can change without knocking all my VPN's offline (if possible).

    Has anyone else noticed similar behavior?

  • Regarding

    bad source address from client [x.x.x.x], packet dropped

    Usually means there is a iroute missing.
    Or is that a mobile/4G client?
    Then probably is inside a CGN, so though you see "correct" external address in log, the actual address from client is different.
    One can ignore the message if it`s a mobile client.

  • These are P2P connections and I have the network specified in the remote networks of the main firewall. Also the route appears in both the main firewall and my remote client firewall. I can also try adding push route to the advanced options and will get the same result.

Log in to reply