TCP not routing through IPsec tunnel - MSS issue?
-
The symptom is that none of my endpoints can access any website when pfSense is connected to the tunnel, but I can get a ping up to 1299 bytes through and DNS queries work. Any pings equal to or larger than 1300 bytes fail.
I've tried setting the MSS clamping to 1200 on the advanced tab of the IPsec config, but it doesn't seem to make any difference. I've also tried lowering it even further with no success. I've also tried setting the MTU and MSS settings on the WAN interface but no luck there either. I've tried setting the "Clear invalid DF bits instead of dropping the packets" in the Advanced settings, but also no luck. I've configured the same IPsec tunnel for Cisco ASA and CSR successfully but I had to set a MSS clamp of 1200 to get it to work. Are there any known issues with the MSS setting for IPsec? I'm running pfSense 2.4.4. Any suggestions of what to try or test would be welcome. Thanks!
-
https://forum.netgate.com/topic/135994/ipsec-mtu-issue-only-from-windows-8
Similar Issue here -- You find a fix ?
-
@phonebuff said in TCP not routing through IPsec tunnel - MSS issue?:
https://forum.netgate.com/topic/135994/ipsec-mtu-issue-only-from-windows-8
Similar Issue here -- You find a fix ?
The only thing that got webpages loaded on endpoints was to reduce the MTU on the client machines. Seems like a bug in pfSense to me.
-
Can you try disabling the setting of Asynchronous Cryptography?
This is located in VPN - IPSEC - Advanced setting bottom of the page.
-
Thank you for the suggestion. I will try this as soon as I can. But one question is the setting symmetric or can I just can the remote end.. (Windows Workstation).
TIA --
-
That setting was just released in 2.4.4, as far as I know it's only on the pfSense side:
-
Sorry I asked the question wrong this is two pfSense units. a 3100 and a 7100. the Windows box sits at the 3100 (remote) end. Should I turn the option off in both or can I just turn it off in the 3100.
-
I would be interested in the following combinations if you have the ability to test:
1: 3100 off, 7100 on
2: 3100 on, 7100 off
3: 3100 off, 7100 off -
Okay, let me see what I can arrange to do for you ..
-
Quick update. So I found out today that the 7100 are at 2.4.1 . Additionally, by hands & eyes at the other end is unavailable to work with me till next week and I can not risk locking myself out while he is away so this will have to wait. -
@chrismacmahon said in TCP not routing through IPsec tunnel - MSS issue?:
Can you try disabling the setting of Asynchronous Cryptography?
This is located in VPN - IPSEC - Advanced setting bottom of the page.
@chrismacmahon - this setting was already disabled in my config - I don't have the box Asynchronous Cryptography checked.
