IPSEC connected but wont pass HTTP or RDP kindof

  • I have been using IPSEC VPN's with PFSense endpoints for over a year without a hitch.  I have one main office that everyone connects in with a PSK config.  I use the VPN tunnel for traffic such as time clocks, web based apps, and rdp (for support).  All has been well until about 1 month ago.  One of the sites was complaining that they couldnt load the java based web app from our home office anymore.  I confirmed the problem after trying java updates and all kinds of troubleshooting.  The page would partially load (you could see the title of the page at the top of the browser).  But after a few minutes of trying to load, it would time out and error.  The wierd thing is that I could connect to the page just fine when going outside of the VPN.  So I had them connect that way for the time being (keep in mind that I could still ping the main office, connect to the site via rdp, and whatever protocal the time clocks were using was still working over the VPN).  A couple of weeks later I had another different site complain that they could not connect to a system via RDP and were also having trouble with a specific feature of the web app.  The web app would load and let them log in and use all the features except for making changes.  I connected outside the VPN and it started working again.  WIERD.  Just last Friday one of the large sites lost connectivity to the web app all together and the problem got escalated.  I figured that maybe I picked up a bug when I upgraded to version 1.2 RELEASE so I went ahead and downgraded to RC3 which I knew had worked.  I tried a bare bones config at the home office and only setup the interfaces and one VPN w/allow rules.  No Luck.  I am writing this forum in desparation of any ideas or suggestions.  I was thinking it could be something to do with the internet connection at the main site since it seems to be the center of my problems.  The wierd part is that everything works fine outside the VPN and I can still ping and run most other apps through the VPN still.

    Here is what has been done already…

    -I have verified the logs and made sure that the VPN is functional.  (No changes have been made from original working config)
    -I also have permitted all traffic on the IPSEC interface in my firewall rules. 
    -I have checked the rules in the logs by turning on the log check in the rule settings.  Everything showed up as allowed when tested.
    -It seems to partially connect because you can use the web app in some situations and see it partially load in others.  The RDP issue is wierd because it loads a blue window but drops you before you get the logon dialog box saying "network error".

    Let me know if you need me to post my config... It is pretty long and I dont have time to mask all the IP's right now.

    Any help would be GREATLY appreciated.

  • I would try some pings of various sizes to verify the MTU. It kind of sounds like you have a misconfigured router in your path.

  • @dotdash:

    I would try some pings of various sizes to verify the MTU. It kind of sounds like you have a misconfigured router in your path.

    I tried your suggestion and it replied on every ping up to 1418 bytes… anything over that it did not respond.  Is that normal?  It seems to respond the same for any of the links (not just to the main office).


  • Also just to clarify… I have not modified the MTU settings from the default.

  • The IPsec tunnel adds at least 28 bytes, so generally if the interface MTU is 1500, you start to see fragmented packets above 1472. You can set the don't fragment bit on the ping and test. 1418 seems a strange number- perhaps this is due to your Interface and/or the tunnel configuration. Not getting larger packets across suggests fragmented packets are not getting through. If something in the path is silently dropping the fragments, the symptoms would be consistent with what you are seeing- smaller packets getting through and large packets going into a black hole. You could drop to a shell and try setting the MTU to 1400 and re-test.

  • Halleluiah!!! It works!  I changed the MTU down to 1400 and it is working now.  The ISP must have made some changes recently which explains the sudden problems.  Does anybody forsee any problems running the MTU this slow?  Do I need to change the MTU's of the remote sites to match?  This is my first experience with a MTU problem and I want to learn as much as possible in case I run into it again.

    Thanks again for all your help dotdash.

  • AFAIK, running with the MTU at 1400 should not cause any issues. Your box will have to work slightly harder, but unless you hardware is already running near capacity, it shouldn't be a problem. Ideally, you could get the equipment that is causing the issue fixed and set the MTU back, but this is not always possible. I would trace the route and do some tests. With more specific information, it might be easier to get your ISP to investigate. As for the remote sites, they should be fine with their default MTUs.

Log in to reply