Stunnel Connection Timeouts

alteredstate

Hello Everyone,

This use to work perfectly but not sure what happened. I'm using the pfSense (2.4.4-RELEASE-p3) Stunnel (5.50) package to connect to Blue Iris security camera software installed on Windows 10. I can connect to the Blue Iris web interface as well as through the Blue Iris Android app (which is essentially using the web interface) and even view the live video feed. However if I click out of the live video feed of one camera and try to view another I receive a timeout. The strange thing is this only happens if I'm connecting outside of my local network. If I do this through my OpenVPN on pfSense or on my LAN/WiFi then everything works great even though I'm using the same URL.

Here is when I connect through my Blue Iris Android app (no OpenVPN). I'm able to log in and watch a video stream but then the app times out if I try to view another video feed or navigate back and forth. Doing this through a web browser also shows time outs.

Sep 30 12:18:10	stunnel		LOG5[19]: Connection closed: 184390 byte(s) sent to TLS, 340 byte(s) sent to socket
Sep 30 12:18:10	stunnel		LOG3[19]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Sep 30 12:18:09	stunnel		LOG6[19]: Read socket closed (readsocket)
Sep 30 12:18:09	stunnel		LOG5[19]: Service [Blue Iris] connected remote server from 192.168.30.1:9941
Sep 30 12:18:09	stunnel		LOG6[19]: persistence: 192.168.30.2:81 cached
Sep 30 12:18:09	stunnel		LOG5[19]: s_connect: connected 192.168.30.2:81
Sep 30 12:18:09	stunnel		LOG6[19]: s_connect: connecting 192.168.30.2:81
Sep 30 12:18:09	stunnel		LOG6[19]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Sep 30 12:18:09	stunnel		LOG6[19]: TLS accepted: new session negotiated
Sep 30 12:18:09	stunnel		LOG6[19]: No peer certificate received
Sep 30 12:18:09	stunnel		LOG6[19]: Peer certificate not required
Sep 30 12:18:09	stunnel		LOG5[19]: Service [Blue Iris] accepted connection from 70.88.30.238:45558
Sep 30 12:18:09	stunnel		LOG5[16]: Connection closed: 364416 byte(s) sent to TLS, 269 byte(s) sent to socket
Sep 30 12:18:09	stunnel		LOG6[16]: TLS socket closed (SSL_read)
Sep 30 12:18:08	stunnel		LOG5[18]: Connection closed: 895 byte(s) sent to TLS, 307 byte(s) sent to socket
Sep 30 12:18:08	stunnel		LOG3[18]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Sep 30 12:18:08	stunnel		LOG6[18]: TLS closed (SSL_read)
Sep 30 12:18:08	stunnel		LOG5[18]: Service [Blue Iris] connected remote server from 192.168.30.1:34341
Sep 30 12:18:08	stunnel		LOG6[18]: persistence: 192.168.30.2:81 cached
Sep 30 12:18:08	stunnel		LOG5[18]: s_connect: connected 192.168.30.2:81
Sep 30 12:18:08	stunnel		LOG6[18]: s_connect: connecting 192.168.30.2:81
Sep 30 12:18:08	stunnel		LOG6[18]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Sep 30 12:18:08	stunnel		LOG6[18]: TLS accepted: new session negotiated
Sep 30 12:18:08	stunnel		LOG6[18]: No peer certificate received
Sep 30 12:18:08	stunnel		LOG6[18]: Peer certificate not required
Sep 30 12:18:08	stunnel		LOG5[18]: Service [Blue Iris] accepted connection from 70.88.30.238:45556
Sep 30 12:18:03	stunnel		LOG5[17]: Connection closed: 895 byte(s) sent to TLS, 307 byte(s) sent to socket
Sep 30 12:18:03	stunnel		LOG3[17]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Sep 30 12:18:03	stunnel		LOG6[17]: SSL_shutdown successfully sent close_notify alert
Sep 30 12:18:03	stunnel		LOG6[17]: Read socket closed (readsocket)
Sep 30 12:18:03	stunnel		LOG5[17]: Service [Blue Iris] connected remote server from 192.168.30.1:20582
Sep 30 12:18:03	stunnel		LOG6[17]: persistence: 192.168.30.2:81 cached
Sep 30 12:18:03	stunnel		LOG5[17]: s_connect: connected 192.168.30.2:81
Sep 30 12:18:03	stunnel		LOG6[17]: s_connect: connecting 192.168.30.2:81
Sep 30 12:18:03	stunnel		LOG6[17]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Sep 30 12:18:03	stunnel		LOG6[17]: TLS accepted: new session negotiated
Sep 30 12:18:03	stunnel		LOG6[17]: No peer certificate received
Sep 30 12:18:03	stunnel		LOG6[17]: Peer certificate not required
Sep 30 12:18:03	stunnel		LOG5[17]: Service [Blue Iris] accepted connection from 70.88.30.238:45554

Here is when I first establish an OpenVPN connection and then open the Blue Iris Android app which works great and does not time out:

Sep 30 12:35:53	stunnel		LOG5[241]: Connection closed: 65503 byte(s) sent to TLS, 248 byte(s) sent to socket
Sep 30 12:35:53	stunnel		LOG3[241]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Sep 30 12:35:53	stunnel		LOG6[241]: Read socket closed (readsocket)
Sep 30 12:35:53	stunnel		LOG5[241]: Service [Blue Iris] connected remote server from 192.168.30.1:52310
Sep 30 12:35:53	stunnel		LOG6[241]: persistence: 192.168.30.2:81 cached
Sep 30 12:35:53	stunnel		LOG5[241]: s_connect: connected 192.168.30.2:81
Sep 30 12:35:53	stunnel		LOG6[241]: s_connect: connecting 192.168.30.2:81
Sep 30 12:35:53	stunnel		LOG6[241]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Sep 30 12:35:53	stunnel		LOG6[241]: TLS accepted: previous session reused
Sep 30 12:35:53	stunnel		LOG5[240]: Connection closed: 5991 byte(s) sent to TLS, 240 byte(s) sent to socket
Sep 30 12:35:53	stunnel		LOG3[240]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Sep 30 12:35:53	stunnel		LOG6[240]: SSL_shutdown successfully sent close_notify alert
Sep 30 12:35:53	stunnel		LOG6[240]: Read socket closed (readsocket)
Sep 30 12:35:53	stunnel		LOG6[241]: Peer certificate not required
Sep 30 12:35:53	stunnel		LOG5[241]: Service [Blue Iris] accepted connection from 10.68.77.2:58342
Sep 30 12:35:53	stunnel		LOG5[240]: Service [Blue Iris] connected remote server from 192.168.30.1:4683
Sep 30 12:35:53	stunnel		LOG6[240]: persistence: 192.168.30.2:81 cached
Sep 30 12:35:53	stunnel		LOG5[240]: s_connect: connected 192.168.30.2:81
Sep 30 12:35:53	stunnel		LOG6[240]: s_connect: connecting 192.168.30.2:81
Sep 30 12:35:53	stunnel		LOG6[240]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Sep 30 12:35:53	stunnel		LOG6[240]: TLS accepted: previous session reused
Sep 30 12:35:53	stunnel		LOG5[239]: Connection closed: 85960 byte(s) sent to TLS, 248 byte(s) sent to socket
Sep 30 12:35:53	stunnel		LOG3[239]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Sep 30 12:35:53	stunnel		LOG6[239]: SSL_shutdown successfully sent close_notify alert
Sep 30 12:35:52	stunnel		LOG6[239]: Read socket closed (readsocket)
Sep 30 12:35:52	stunnel		LOG6[240]: Peer certificate not required
Sep 30 12:35:52	stunnel		LOG5[240]: Service [Blue Iris] accepted connection from 10.68.77.2:58340
Sep 30 12:35:52	stunnel		LOG5[238]: Connection closed: 8780 byte(s) sent to TLS, 236 byte(s) sent to socket
Sep 30 12:35:52	stunnel		LOG3[238]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Sep 30 12:35:52	stunnel		LOG6[238]: SSL_shutdown successfully sent close_notify alert
Sep 30 12:35:52	stunnel		LOG6[238]: Read socket closed (readsocket)
Sep 30 12:35:52	stunnel		LOG5[237]: Connection closed: 894 byte(s) sent to TLS, 307 byte(s) sent to socket
Sep 30 12:35:52	stunnel		LOG3[237]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
Sep 30 12:35:52	stunnel		LOG6[237]: SSL_shutdown successfully sent close_notify alert
Sep 30 12:35:52	stunnel		LOG6[237]: Read socket closed (readsocket)
Sep 30 12:35:52	stunnel		LOG5[238]: Service [Blue Iris] connected remote server from 192.168.30.1:24215
Sep 30 12:35:52	stunnel		LOG6[238]: persistence: 192.168.30.2:81 cached
Sep 30 12:35:52	stunnel		LOG5[238]: s_connect: connected 192.168.30.2:81
Sep 30 12:35:52	stunnel		LOG6[238]: s_connect: connecting 192.168.30.2:81
Sep 30 12:35:52	stunnel		LOG6[238]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
Sep 30 12:35:52	stunnel		LOG6[238]: TLS accepted: new session negotiated
Sep 30 12:35:52	stunnel		LOG6[238]: No peer certificate received
Sep 30 12:35:52	stunnel		LOG5[239]: Service [Blue Iris] connected remote server from 192.168.30.1:42731

I did a packet capture on that particular VLAN and noticed there was a RST package sent if this has any relevance:
(Blue Iris= 192.168.30.2)

Anyone have any ideas as to what might be causing this or some different Stunnel options I could try?