pfSense Azure appliance not passing SMB traffic to Azure



  • So an interesting problem that we've been dealing with. We setup an Azure appliance pfSense and haven't really used it yet outside of configuring some IPSec tunnels (the primary purpose). We got notified by the user that they were seeing some very odd behavior and timeouts when doing anything SMB related.

    Currently what we have right now:

    • pfSense 2.4.3 in our Data Center with an IPSec tunnel to a pfSense Azure Virtual Appliance.

    Currently the only odd behavior we can recreate or find is most SMB tasks from our Data Center side -> Azure just lock up and freeze. We see errors in the windows side about auth failures. We've completely blown away the appliance and rebuilt it from scratch. Did a ton of work on the windows side with no real results. The reason we know it's something crazy with the pfSense appliance is that we rebuilt the IPSec tunnel with a Virtual Network Gateway in Azure and the problem after the routing table updates goes completely away.

    The Azure configuration side.
    Currently there is a resource group that as a Virtual Network of 10.1.0.0/19 that has been broken up in to smaller /24 subnets for the various different work that is to be done.

    We have the WAN on 10.1.14.X and the LAN on 10.1.15.X . We also created a custom Routing Table and associated those subnets within Azure to point to the LAN Address on the pfSense (10.1.15.4). There are also static routes in the pfSense to route the traffic for the various subnets across that same LAN Gateway address.

    ICMP works, RDP Works, and even Azure SMB -> Our Data Center works. We can take a file and copy it through RDP with no problem. That same file over SMB is a no go. Randomly we'll get one server on our side to start transferring files to Azure or maybe even a few but never all of them until we move the VPN to go directly back through Azures' Virtual Network Gateway.

    I can get more detailed but this could be a mile long post, any idea on what in the pfSense or in the routing could be screwing with these SMB packets?

    Thanks in advance


  • LAYER 8 Netgate

    What MSS is being negotiated in the TCP sessions between the Azure VNG and the pfSense IPsec? You might need to enable MSS clamping or something.



  • Currently none, I did read MSS Clamping was suggested and if you can't enable that then set the MTU to 1400 (which is what the pfSense does when enabled). Would I need to enable on both sides? I believe I enabled this earlier and did not see any differences but more than happy to try again.


  • LAYER 8 Netgate

    Packet capture and look at the MSS being negotiated. on the one that works and the one that doesn't.

    pfSense doesn't care that it's SMB. It's not looking that deeply into the packet.



  • I just read that it actually needs MSS Clamping to be 1350 or MTU at 1400 and misread the line in the pfSense as being MTU and not MSS. I just realized my mistake it's been a long three days in troubleshooting this. I just stopped and started the IPSec service on the Azure appliance after making that change and it worked the first few tries (this has happened a few times). I'll go ahead and continue testing to see if the results stick.