Connection freeze in Site-to-site link
I have defined a Site-to-site OpenVPN connection following https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html.
The connection works, and I'm using the following addresses:
-> 200.145.x.y/27 for Site A
-> 10.3.100.0/30 for tunnel network
-> 186.217.1.x/27 for site B
In both sites I'm using valid public addresses. The reason is that Site B will be physically moved soon, and I intend to use the VPN to keep everything working through an ADSL (or something like that) link until the real data link is moved too.
I've managed to make the connection and everything works, BUT, there is one problem. When I connect to a server inside Site B (using SSH in this case), after about 35 second the connection freezes. If I make 2 connections, each one freezes after about 40 seconds. Ping does works fine and never stops pinging. If I connect from Site B to and external server, it works fine. I've tried setting OpenVPN using TCP instead UDP but that made no difference. Since the time is always about the same (~35 seconds), I suspect that some timer is involved, but have no idea which one it could be or where to look. Also, I couldn't find any relevant message in the Firewall or system logs.
Any suggestions on what may be wrong?
I forgot to add my current configuration for the tunnel:
After some tests, I isolated the problem to pf in the server side. If I disable pf (CLI 'pfctl -d'), the connection remains stable and does not lock. If I reactivate pf, the connection freezes after about 35 seconds. So it`s most definitively some timer in the pf firewall in the server, but I have no idea of what that could be. Does somebody have a suggestion?
On the CLI of the server, I checked the pf states with 'pfctl -ss', and I got the following states (filtered do relevant ones only):
xn0 tcp 186.217.x.x <- 200.145.x.x:34654 CLOSED:SYN_SENT
ovpns1 tcp 200.145.x.x:34654 -> 186.217.x.x:22 SYN_SENT:CLOSED
The problem is, this should not show SYN_SENT:CLOSED, but ESTABLISHED. So, for some reason, pf is closing my TCP sessions instead of setting them as established. Does someone have any idea of why? Should I move this discussion to the firewall threads?
Ok, after some headbanging I decided to scrap everything and redo everything, including the basic pfSense setup, from zero. Aaaaaand everything worked properly.
So, in conclusion, there was some weird error in some configuration somewhere, and doing everything from zero removed that error.
For reasons I had to kill and reinstall the server and the problem is back. If I connect from an external address, pf does not set the connection as 'Established' and kills it after ~30 seconds.
Also weird: If I disable pf completely (pfctl -d), the connections is established and remains stable, so it's definitively pf that`s killing my connections. But since I can't leave the server with pf disabled, that's not an option.
I've tried a few other tricks, like disabling TX Checksum Offload (https://xcp-ng.org/docs/guides.html#pfsense-vm), settings in the firewall, but couldn't find anything.
Has any one else seen something like this?