Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connection freeze in Site-to-site link

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 1 Posters 576 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DrydenK
      last edited by

      Hi,

      I have defined a Site-to-site OpenVPN connection following https://docs.netgate.com/pfsense/en/latest/book/openvpn/site-to-site-example-configuration-shared-key.html.

      The connection works, and I'm using the following addresses:
      -> 200.145.x.y/27 for Site A
      -> 10.3.100.0/30 for tunnel network
      -> 186.217.1.x/27 for site B

      In both sites I'm using valid public addresses. The reason is that Site B will be physically moved soon, and I intend to use the VPN to keep everything working through an ADSL (or something like that) link until the real data link is moved too.

      I've managed to make the connection and everything works, BUT, there is one problem. When I connect to a server inside Site B (using SSH in this case), after about 35 second the connection freezes. If I make 2 connections, each one freezes after about 40 seconds. Ping does works fine and never stops pinging. If I connect from Site B to and external server, it works fine. I've tried setting OpenVPN using TCP instead UDP but that made no difference. Since the time is always about the same (~35 seconds), I suspect that some timer is involved, but have no idea which one it could be or where to look. Also, I couldn't find any relevant message in the Firewall or system logs.

      Any suggestions on what may be wrong?

      Tks,

      DrydenK

      1 Reply Last reply Reply Quote 0
      • D
        DrydenK
        last edited by

        I forgot to add my current configuration for the tunnel:

        Server:
        Screenshot_2020-05-05 OpenVPN Server.png

        Client:
        Screenshot_2020-05-05 OpenVPN Client.png

        1 Reply Last reply Reply Quote 0
        • D
          DrydenK
          last edited by

          After some tests, I isolated the problem to pf in the server side. If I disable pf (CLI 'pfctl -d'), the connection remains stable and does not lock. If I reactivate pf, the connection freezes after about 35 seconds. So it`s most definitively some timer in the pf firewall in the server, but I have no idea of what that could be. Does somebody have a suggestion?

          Tks,

          DrydenK

          1 Reply Last reply Reply Quote 0
          • D
            DrydenK
            last edited by

            Another information.

            On the CLI of the server, I checked the pf states with 'pfctl -ss', and I got the following states (filtered do relevant ones only):
            xn0 tcp 186.217.x.x <- 200.145.x.x:34654 CLOSED:SYN_SENT
            ovpns1 tcp 200.145.x.x:34654 -> 186.217.x.x:22 SYN_SENT:CLOSED

            The problem is, this should not show SYN_SENT:CLOSED, but ESTABLISHED. So, for some reason, pf is closing my TCP sessions instead of setting them as established. Does someone have any idea of why? Should I move this discussion to the firewall threads?

            Tks,

            DrydenK

            1 Reply Last reply Reply Quote 0
            • D
              DrydenK
              last edited by

              Ok, after some headbanging I decided to scrap everything and redo everything, including the basic pfSense setup, from zero. Aaaaaand everything worked properly.

              So, in conclusion, there was some weird error in some configuration somewhere, and doing everything from zero removed that error.

              Tks.

              1 Reply Last reply Reply Quote 0
              • D
                DrydenK
                last edited by

                For reasons I had to kill and reinstall the server and the problem is back. If I connect from an external address, pf does not set the connection as 'Established' and kills it after ~30 seconds.

                Also weird: If I disable pf completely (pfctl -d), the connections is established and remains stable, so it's definitively pf that`s killing my connections. But since I can't leave the server with pf disabled, that's not an option.

                I've tried a few other tricks, like disabling TX Checksum Offload (https://xcp-ng.org/docs/guides.html#pfsense-vm), settings in the firewall, but couldn't find anything.

                Has any one else seen something like this?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.