PF scrubbing kills RDC and HTTP over IPSEC?
-
I have a setup where 2 of our offices use PF sense 1.2 Release on Soekris hardware, both locations have mutiple WAN and IPSEC tunnels on both WAN connections. One of these tunnels connects the office networks behind the PF sense boxes and is used different purposes, one of them being remote desktop connections to an application server in the other office.
Now: in order to solve a problem with a tax reporting program where I suspect big packets are not send/received correctly by the tax department I Disabled Firewall Scrub in one office.
After this RDC did not work and some HTTP pages on servers also timed out (http{s} to pfsense and cisco switches was ok). After enabling Firewall Scrub everything came back to live again.
Is this a known problem?
And can it be solved by simply disabling scrub on both pf sense boxes?Unfortunately I cannot go testing different settings for a couple of hours since this is a working environment, any input will be appreciated.
-
Check out this link and let me know if it helps…
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
-
Not sure if this is it, ICMP traffic is allowed through the tunnel so renegotiation of packet size should work.
It might however explain why the tax application doesn't work properly, I'll need to check this by looking at the packages send and received by the application.I found it a bit strange that disabling scrub had this effect to tunnel traffic.
Thanks for your input.
-
The version of FreeBSD used by 1.2 can create a PMTU black hole with IPsec, try 1.2.1 as the version of FreeBSD it uses shouldn't do that.
-
I was already planning to upgrade to 1.2.1, if this might solve this issue also there is even more reason to do so.
As soon as I have 1.2.1 running I'll try the setting again to see what happens.Thanks.
-
The firewall on 1 end is now running pfsense 1.2.1 and if I disable scrubbing remote desktop doesn't, when its back on standard (enable) RDC is also running again.
Anyway I leave the option as it is and will try to figure out my initial problem, I did see some new options in the diagnostic menu, so will give these a try.Regards.
-
You'll need to upgrade both ends.
-
I thought so, but meanwhile I found that disabling scrubbing won't solve the problem with sending messages from the tax report programs. Their a nightmare to setup and maintain and I'm more and more convinced that this system is causing the problem and not the connection, so there is no need for the setting. I will upgrade the second box anyway but that will have to wait until I'm on site.
Thanks for the suggestions.