Device web interface won't respond unless I ping it.

  • Here's my network setup:
    One PFSense on each campus connected by IPSEC VPN.  One campus is 10.0.x.x/16 and the other is 10.1.x.x/16 Everything is working well except one type of device.  We have IP based timeclocks on each campus.

    I can pull up the timeclock web interface on the opposite campus just fine by typing in the IP from the opposite campus. (I can get the 10.1.x.x timeclock from the 10.0.x.x endpoints and vice versa).

    If I try to pull the timeclock web interface on the same campus I am on it times out.  If I ping or tracert the timeclock IP address and then open the web interface by IP, it works fine.

    I've tried from windows clients, windows server, and Chromebooks and have the same result.  Other devices (printers, copiers, network devices) I have no problems accessing the web interface by IP directly.  I wireshark my connection and I see the syn, but no acks until I ping the device.

    Any ideas for me?



  • Netgate Administrator

    It sounds like you have some sort of asymmetric route happening. You may be seeing an ICMP redirect that allows the traffic to pass until it times out.

    You need to trace where that syn/ack from the timeclock is going or if the syn ever reaches it.

    The first thing I would do though is check the pfSense firewall logs for blocked flagged or outbound traffic.