Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP not routing through IPsec tunnel - MSS issue?

    Scheduled Pinned Locked Moved IPsec
    11 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      baketopher
      last edited by baketopher

      The symptom is that none of my endpoints can access any website when pfSense is connected to the tunnel, but I can get a ping up to 1299 bytes through and DNS queries work. Any pings equal to or larger than 1300 bytes fail.

      I've tried setting the MSS clamping to 1200 on the advanced tab of the IPsec config, but it doesn't seem to make any difference. I've also tried lowering it even further with no success. I've also tried setting the MTU and MSS settings on the WAN interface but no luck there either. I've tried setting the "Clear invalid DF bits instead of dropping the packets" in the Advanced settings, but also no luck. I've configured the same IPsec tunnel for Cisco ASA and CSR successfully but I had to set a MSS clamp of 1200 to get it to work. Are there any known issues with the MSS setting for IPsec? I'm running pfSense 2.4.4. Any suggestions of what to try or test would be welcome. Thanks!

      1 Reply Last reply Reply Quote 0
      • P
        Phonebuff
        last edited by

        https://forum.netgate.com/topic/135994/ipsec-mtu-issue-only-from-windows-8

        Similar Issue here -- You find a fix ?

        B 1 Reply Last reply Reply Quote 0
        • B
          baketopher @Phonebuff
          last edited by baketopher

          @phonebuff said in TCP not routing through IPsec tunnel - MSS issue?:

          https://forum.netgate.com/topic/135994/ipsec-mtu-issue-only-from-windows-8

          Similar Issue here -- You find a fix ?

          The only thing that got webpages loaded on endpoints was to reduce the MTU on the client machines. Seems like a bug in pfSense to me.

          1 Reply Last reply Reply Quote 0
          • chrismacmahonC
            chrismacmahon
            last edited by

            Can you try disabling the setting of Asynchronous Cryptography?

            This is located in VPN - IPSEC - Advanced setting bottom of the page.

            Need help fast? Our support is available 24/7 https://www.netgate.com/support/

            Do Not PM For Help!

            B 1 Reply Last reply Reply Quote 0
            • P
              Phonebuff
              last edited by

              @chrismacmahon

              Thank you for the suggestion. I will try this as soon as I can. But one question is the setting symmetric or can I just can the remote end.. (Windows Workstation).

              TIA --

              1 Reply Last reply Reply Quote 0
              • chrismacmahonC
                chrismacmahon
                last edited by

                That setting was just released in 2.4.4, as far as I know it's only on the pfSense side:

                IPsec Speed Improvements: The new Asynchronous Cryptography option under the IPsec Advanced Settings tab can dramatically improve IPsec performance on multi-core hardware.

                Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                Do Not PM For Help!

                1 Reply Last reply Reply Quote 0
                • P
                  Phonebuff
                  last edited by

                  @chrismacmahon

                  Sorry I asked the question wrong this is two pfSense units. a 3100 and a 7100. the Windows box sits at the 3100 (remote) end. Should I turn the option off in both or can I just turn it off in the 3100.

                  1 Reply Last reply Reply Quote 0
                  • chrismacmahonC
                    chrismacmahon
                    last edited by

                    I would be interested in the following combinations if you have the ability to test:

                    1: 3100 off, 7100 on
                    2: 3100 on, 7100 off
                    3: 3100 off, 7100 off

                    Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                    Do Not PM For Help!

                    1 Reply Last reply Reply Quote 0
                    • P
                      Phonebuff
                      last edited by

                      @chrismacmahon

                      Okay, let me see what I can arrange to do for you ..

                      P 1 Reply Last reply Reply Quote 0
                      • P
                        Phonebuff @Phonebuff
                        last edited by

                        @chrismacmahon

                        Quick update.  So I found out today that the 7100 are at 2.4.1 . Additionally, by hands & eyes at the other end is unavailable to work with me till next week and I can not risk locking myself out while he is away so this will have to wait.
                        
                        1 Reply Last reply Reply Quote 0
                        • B
                          baketopher @chrismacmahon
                          last edited by

                          @chrismacmahon said in TCP not routing through IPsec tunnel - MSS issue?:

                          Can you try disabling the setting of Asynchronous Cryptography?

                          This is located in VPN - IPSEC - Advanced setting bottom of the page.

                          @chrismacmahon - this setting was already disabled in my config - I don't have the box Asynchronous Cryptography checked.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.