Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PF scrubbing kills RDC and HTTP over IPSEC?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Delex
      last edited by

      I have a setup where 2 of our offices use PF sense 1.2 Release on Soekris hardware, both locations have mutiple WAN and IPSEC tunnels on both WAN connections. One of these tunnels connects the office networks behind the PF sense boxes and is used different purposes, one of them being remote desktop connections to an application server in the other office.

      Now: in order to solve a problem with a tax reporting program where I suspect big packets are not send/received correctly by the tax department I Disabled Firewall Scrub in one office.

      After this RDC did not work and some HTTP pages on servers also timed out (http{s} to pfsense and cisco switches was ok). After enabling Firewall Scrub everything came back to live again.

      Is this a known problem?
      And can it be solved by simply disabling scrub on both pf sense boxes?

      Unfortunately I cannot go testing different settings for a couple of hours since this is a working environment, any input will be appreciated.

      1 Reply Last reply Reply Quote 0
      • L
        l00pback0
        last edited by

        Check out this link and let me know if it helps…

        http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml

        1 Reply Last reply Reply Quote 0
        • D
          Delex
          last edited by

          Not sure if this is it, ICMP traffic is allowed through the tunnel so renegotiation of packet size should work.
          It might however explain why the tax application doesn't work properly, I'll need to check this by looking at the packages send and received by the application.

          I found it a bit strange that disabling scrub had this effect to tunnel traffic.

          Thanks for your input.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            The version of FreeBSD used by 1.2 can create a PMTU black hole with IPsec, try 1.2.1 as the version of FreeBSD it uses shouldn't do that.

            1 Reply Last reply Reply Quote 0
            • D
              Delex
              last edited by

              I was already planning to upgrade to 1.2.1, if this might solve this issue also there is even more reason to do so.
              As soon as I have 1.2.1 running I'll try the setting again to see what happens.

              Thanks.

              1 Reply Last reply Reply Quote 0
              • D
                Delex
                last edited by

                The firewall on 1 end is now running pfsense 1.2.1 and if I disable scrubbing remote desktop doesn't, when its back on standard (enable) RDC is also running again.
                Anyway I leave the option as it is and will try to figure out my initial problem, I did see some new options in the diagnostic menu, so will give these a try.

                Regards.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  You'll need to upgrade both ends.

                  1 Reply Last reply Reply Quote 0
                  • D
                    Delex
                    last edited by

                    I thought so, but meanwhile I found that disabling scrubbing won't solve the problem with sending messages from the tax report programs. Their a nightmare to setup and maintain and I'm more and more convinced that this system is causing the problem and not the connection, so there is no need for the setting. I will upgrade the second box anyway but that will have to wait until I'm on site.

                    Thanks for the suggestions.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.