Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP issue inside the tunnel

    Scheduled Pinned Locked Moved IPsec
    12 Posts 2 Posters 1.5k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      monster4000
      last edited by monster4000

      Hello

      I got 1 tunnel between 2 sites.

      Main Site A 10.0.200.0/24
      Site B 10.9.96.0/24

      I have been trying to set up Rudder.io and Icinga on a server at 10.9.96.4 which needs to reach 10.0.200.0/24 with TCP.
      other servers at 10.0.200.0/24 work just fine with Rudder and Icinga, so I know the issue is not an application issue.

      my log looks like critical/TcpSocket: Invalid socket:

      There is any:any rules at both pfsense A and B,
      UDP and Icmp works just fine. im 100% lost any idea´s?

      K 1 Reply Last reply Reply Quote 0
      • K Offline
        Konstanti @monster4000
        last edited by

        @monster4000

        Hey
        Need to see what show
        /diagnostics/ packet capture
        Interface Lan
        Host 10.9.96.4
        Protocol tcp
        Port tcp port inciga

        and we still need a file (download capture)

        1 Reply Last reply Reply Quote 0
        • M Offline
          monster4000
          last edited by

          Hello

          I got the capture here.

          0_1549105719338_packetcapture.zip

          K 1 Reply Last reply Reply Quote 0
          • K Offline
            Konstanti @monster4000
            last edited by Konstanti

            @monster4000
            The that in sight
            Is immediately reset the connection
            This error often occurs when the TCP port is closed
            There may be a firewall (10.9.96.4) that reject connections

            Capture Site B

            0_1549106181831_09468da0-86df-4859-af88-82d618a8a585-image.png

            Capture Site -A

            0_1549106245080_ebe1e9d0-f195-45d1-a56a-fbeb11aa0b77-image.png

            1 Reply Last reply Reply Quote 0
            • M Offline
              monster4000
              last edited by

              Hello

              That seems strange to me:
              SiteB
              1_1549106526740_Site B.PNG
              SiteA
              0_1549106526739_Site A.PNG

              There is no firewall active on the linux servers.

              K 1 Reply Last reply Reply Quote 0
              • K Offline
                Konstanti @monster4000
                last edited by Konstanti

                @monster4000

                There may be a firewall that drops connections (host 10.9.96.4)
                This host (10.0.96.4) is configured to accept connections only from specific networks ?

                1 Reply Last reply Reply Quote 0
                • M Offline
                  monster4000
                  last edited by

                  Hello

                  i´ve have already check 10.9.96.4 for a firewall there is none.
                  also tested with a fresh ubuntu machine it´s the same

                  root@pmg:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
                  K 2 Replies Last reply Reply Quote 0
                  • K Offline
                    Konstanti @monster4000
                    last edited by

                    @monster4000
                    I meant that Icinga is configured to accept connections only from certain networks

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      monster4000
                      last edited by

                      Hello

                      never heard of that, it uses ssl to check, but Rudder is using the network and have added that to the list :(

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        Konstanti @monster4000
                        last edited by Konstanti

                        @monster4000 said in

                        There is still such an idea

                        1. mss clamping (both sides)
                          VPN/IPsec/Advanced Settings
                          0_1549107209109_bc21808e-677f-4681-a124-872a597d7632-image.png

                        2. System/Advanced/Networking (both sides)
                          0_1549107342669_bebb80b7-1053-4a47-8b95-8b207cb31f14-image.png

                        1 Reply Last reply Reply Quote 0
                        • M Offline
                          monster4000
                          last edited by monster4000

                          Hello
                          MSS seem to done the trick, what is MMS?
                          I already had the other change due to proxmox kvm

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            monster4000
                            last edited by

                            Hello

                            Just noticed it breaks large packets of UDP :( hopefully we will get fix soon.
                            https://redmine.pfsense.org/issues/7801

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.