VLAN 2 VLAN TCP traffic drops after 30 seconds
-
Dear Community,
On a customers 3100, 21.05-RELEASE, we have an issue when the customer is accessing his switches through telnet or ssh.
Setup
vlan switches 10.2.0.0/24
vlan data 192.168.50.0/24Gateway of those subnets is the 3100 for both. Upon connecting to the switch it works but then the connection gets dropped after 30 seconds or so. The state shows:
VLAN2 tcp 192.168.50.103:57179 -> 10.2.0.100:22 SYN_SENT:CLOSED 9 / 0 2 KiB / 0 BAnd then the connection drops.
Interface for both the subnets to "live" on is the mvneta1 interface where both vlans are tagged upon.
Not sure where to go from here. From my searches here in the forum and online I found multiple assymetric routing issues to be the underlying issue. However, this traffic does not egress from the firewall over multiple wans nor has it got anything to do with nat.
Would be great to get your thoughts on the matter. I have remote access and I can send whatever else you might need for more info.
Cheers,
Tommie -
@tpit said in VLAN 2 VLAN TCP traffic drops after 30 seconds:
However, this traffic does not egress from the firewall over multiple wans nor has it got anything to do with nat.
That doesn't mean its not asymmetrical.
A drawing including where the switches set, do the switches have svi in both vlans?
So say you talk to switch 10.20.0.100 from 192.168.50.103, but the switch answers via the interface it has in 192.168.50, then yeah pfsense never sees the return traffic and would close the state after the timeout.
-
@johnpoz said in VLAN 2 VLAN TCP traffic drops after 30 seconds:
192.168.50.103, but the switch answers via the interface it has in 192.168.50, then yeah pfsense never sees the return traffic and would close the state after the
That would make tons of sense... not sure why I haven't checked this at all! Let me investigate if he gave his switch multiple IPv4 in each vlan!!! Be right back.
-
@johnpoz Where you out drinking with me last?
Dude gave all his vlans DHCP addressess...... omg. Can't believe overlooked this possibility. Jumped to many conclusions after making all the wrong assumptions... Cheers John. Will get on my best phone call of the day now.
-
@tpit Glad I could help - customers do crazy shit sometimes.. I just have to shake my head at some of the setups I have seen ;)
-
@johnpoz This is our only customer with access to his access switches so he can do some simple tagging himself... :)
Anyways, you made my incident ticket a work order ticket so I owe you one...
-
@tpit said in VLAN 2 VLAN TCP traffic drops after 30 seconds:
customer with access
Well there you go - there is the RCA ;)
-
@johnpoz Ill be sure to tell him that... They usually require an RFO... ;)
-
@tpit just hope he doesn't come back with getting you to up the timeout so he can run like that longer before the state gets closed ;) heheh
edit: Whats the old adage "customer is always right". I find this rarely the case when it comes to IT ;)
Giving customer access other than "read" is like handing a toddler a loaded handgun... They like to play with shiny stuff.. But once you load it - someone is going to get shot. And its going to be your fault ;)
-
@johnpoz Sticks and stones may break my bones but there will always be an end-user face-palming me to my doom... ;)
Still stupid I totally disregarded this possibility! :)
