Ping work on both client and server subnet, but i can't ssh any server
-
I've been trying to connect to pfsense server via openvpn, everithing is connected and ping works on both subnet to the other, but ssh doesn't work.
it connects, but the the connection stalls and is reset by server.
using tcpdump and wireshark, i've noticed a lot of tcp Spurious Retransmissions .i've tried to work on mtu, using "fragment 1200; mssfix" on both client and server, but it's not working.
have you any clues about what i'm missing?
-
Where exactly are you sniffing. And retrans would be there if client doesn't see a syn,ack to its syn.. etc..
Lots of things could be wrong.. Same network on both sides come to mind. Asymmetrical routing another. Firewall on the server another, etc.
-
i was sniffing on the routers, and the two servers (ssh client and server)
the two network are different, i've unblock traffic from other private network on both routers, ping work perfectly, firewall are as low as possible.
i'll try to post my confs tomorrow at work. -
What routers? Pfsense, is that in both locations and this is a site to site?
Or the people connecting in are road warriors?
-
ok sorry it's not clear, i'll try to do a map of the network
–---------- -----------------
hq network | --------- VPN VPN --------- | remote site
|--------------10.XX.6.1| Pfsense |10.YY.0.1-------- internet ---------- 10.YY.0.2 Pfsense 10.XX.1.1 --------|10.XX.1.0/24
10.XX.6.0/24| --------- --------- ----------------It's a site to site configuration. ping works all across the system, increasing the size of the ping data makes it fail:
$ ping 10.XX.1.2 -s 1472
PING 10.XX.1.2 (10.XX.1.2) 1472(1500) bytes of data.
1480 bytes from 10.XX.1.2: icmp_seq=1 ttl=62 time=17.3 ms
1480 bytes from 10.XX.1.2: icmp_seq=2 ttl=62 time=17.1 ms–- 10.XX.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 17.128/17.216/17.304/0.088 ms$ ping 10.66.1.2 -s 1473
PING 10.66.1.2 (10.66.1.2) 1473(1501) bytes of data.–- 10.66.1.2 ping statistics ---
101 packets transmitted, 0 received, 100% packet loss, time 99999ms -
" ping 10.66.1.2 -s 1473"
Well how do you expect that to work exactly.. You have exceeded your mtu.. ping doesn't normally fragment well ;) What does that have to do with anything when you adjusted your mtu to 1200? etc.. Not sure how that is a troubleshooting step or what you expect it to show?
This is the second thread where I have seen a mask of /24 but changing the second octet in the network vs the 3rd octet where that /24 makes sense..
You sure your using a /24 and not /16?? And why and the hell are you trying obfuscate rfc1918??
So where exactly are you sniffing?
If your HQ machine is trying to talk to remote site ssh server for example.. I would sniff on 10.xx.1.1 of pfsense in the remote site interface So you see the syn from this hq client?? Being sent on to the ssh server, do you see an answer? Do you not see the syn at all? What does a traceroute show from your HQ box to the IP of your ssh serrver?
-
" ping 10.66.1.2 -s 1473"
Well how do you expect that to work exactly.. You have exceeded your mtu.. ping doesn't normally fragment well ;) What does that have to do with anything when you adjusted your mtu to 1200? etc.. Not sure how that is a troubleshooting step or what you expect it to show?
I doesn't expect it to work well, i just wanted to test the mtu of the network.
This is the second thread where I have seen a mask of /24 but changing the second octet in the network vs the 3rd octet where that /24 makes sense..
you're talking about the 10.YY.0.0/24 openvpn network? it's the default value on openvpn
You sure your using a /24 and not /16??
yes
And why and the hell are you trying obfuscate rfc1918??
because im paranoid!
So where exactly are you sniffing?
If your HQ machine is trying to talk to remote site ssh server for example.. I would sniff on 10.xx.1.1 of pfsense in the remote site interface So you see the syn from this hq client?? Being sent on to the ssh server, do you see an answer? Do you not see the syn at all? What does a traceroute show from your HQ box to the IP of your ssh serrver?
i've been sniffing on both pfsenses machines, a machine on the hq network A and a server on remote network B.
i see traffic trying to ssh from A to B, sshd server log the connection , but many packet are wrongly retransmitted (spurious retransmission on wireshark) and the server close it.
the traceroute is ok, mtr shows non packet drop… -
"but many packet are wrongly retransmitted (spurious retransmission on wireshark) and the server close it."
So your saying you sniff on the ssh server, and it sees the SYN, and continues to see more syn, even though it sent a syn,ack?? Well you need to follow this syn,ack back.. Why is the syn,ack not getting back to the client that is trying to connect to the ssh server?
Why don't you post up a sniff on the client machine and a sniff on the ssh server taken at the same time and we can figure out what is getting dropped where..
So at ssh server side sees the syn,ack back from the ssh server - where does it send it? Follow it back – if its was getting back to the client in a timely fashion then the ssh client would not be resending syn, etc..
-
here is the two tcpdump from the client and the server.
i've also noticed that i can ssh through the tunnel from local pfs to remote pfs, and from remote pfs to any machine in our local network!
-
"and from remote pfs to any machine in our local network!"
but you can not from remote machines to local network, or from local network to remote machines?
Looks like the initial syn and syn,ack worked but then having trouble.. Can you post up the actual sniffs so I can see the details of the seq and ack number to what is being seen multiple times..
-
I sort of solve the problem: the remote pfsense was on a xen server, and it's not really ideal… the client is now on a debian, and everythings work fine!
thanks for your time!
-
there are plenty of people running pfsense on xen.. If recall there might be some issues with offloading checksums? Pretty sure there is a sticky on pfsense on xen.,