TCP issue inside the tunnel

monster4000

Hello

I got 1 tunnel between 2 sites.

Main Site A 10.0.200.0/24
Site B 10.9.96.0/24

I have been trying to set up Rudder.io and Icinga on a server at 10.9.96.4 which needs to reach 10.0.200.0/24 with TCP.
other servers at 10.0.200.0/24 work just fine with Rudder and Icinga, so I know the issue is not an application issue.

my log looks like critical/TcpSocket: Invalid socket:

There is any:any rules at both pfsense A and B,
UDP and Icmp works just fine. im 100% lost any idea´s?

Konstanti

@monster4000

Hey
Need to see what show
/diagnostics/ packet capture
Interface Lan
Host 10.9.96.4
Protocol tcp
Port tcp port inciga

and we still need a file (download capture)

monster4000

Hello

I got the capture here.

0_1549105719338_packetcapture.zip

Konstanti

@monster4000
The that in sight
Is immediately reset the connection
This error often occurs when the TCP port is closed
There may be a firewall (10.9.96.4) that reject connections

Capture Site B

0_1549106181831_09468da0-86df-4859-af88-82d618a8a585-image.png

Capture Site -A

0_1549106245080_ebe1e9d0-f195-45d1-a56a-fbeb11aa0b77-image.png

monster4000

Hello

That seems strange to me:
SiteB
1_1549106526740_Site B.PNG
SiteA
0_1549106526739_Site A.PNG

There is no firewall active on the linux servers.

Konstanti

@monster4000

There may be a firewall that drops connections (host 10.9.96.4)
This host (10.0.96.4) is configured to accept connections only from specific networks ?

monster4000

Hello

i´ve have already check 10.9.96.4 for a firewall there is none.
also tested with a fresh ubuntu machine it´s the same

root@pmg:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Konstanti

@monster4000
I meant that Icinga is configured to accept connections only from certain networks

monster4000

Hello

never heard of that, it uses ssl to check, but Rudder is using the network and have added that to the list :(

Konstanti

@monster4000 said in

There is still such an idea

mss clamping (both sides)
VPN/IPsec/Advanced Settings
System/Advanced/Networking (both sides)

monster4000

Hello
MSS seem to done the trick, what is MMS?
I already had the other change due to proxmox kvm

monster4000

Hello

Just noticed it breaks large packets of UDP :( hopefully we will get fix soon.
https://redmine.pfsense.org/issues/7801

TCP issue inside the tunnel

Products

Services

Support

News

Resources

Company

Our Mission

Subscribe to our Newsletter