Active Directory server not available over OpenVPN tunel

RHTRAF

Hello everyone,

Need some help.

I have a PF23.09 on a Azure image with a network of 10.125.1.0/24. PF acts as a Ovpn client to our main network (192.168.1010/24). Communications between the 2 subnets work fine. I can ping any host on the Azure network to the main net and main net to the Azure network EXCEPT the DC's on the main net. They suddenly stopped working. I cannot ping the IP from the DCs to the azure network or ping IP from the azure network to the DC's all other hosts seem to work fine on all protocols. Firewall rules were set to ALL:ALL on all interfaces.
It should be noted that we also maintain a OVpn connection to our DR site (192.168.102.X/24) with a backup DC on it. The main net can ping and communicate with the DC and it replicates just fine. All normal behavior.

Im at a bit of a lose here and as the Azure clients use the DNS on the DC's azure side is a bit hooped. I built a route from our Azure net to DR network and the DC over there worked fine for about 2 hours then stated doing the same thing as the main net DC's... no ping to and from Azure to DC host on DR net and no ping from DR DC to Azure hosts, same as the Azure to DC on main net. All other hosts work fine.

Hope that all makes sense.

I left scratching my head here and could really use some help.

Thanks in advance!

Rich

stephenw10

I would guess there a route missing on the DCs since they cannot either ping or respond to pings.

It could also be a bad route. Or a bad subnet mask maybe.

I would run some pings and check the state tables in Diag > States to see where they are going.

Steve

RHTRAF

Thanks for that. I agree and here is the output from DIAG/States

This is the same in the other direction as well.

Routes on the DC are the same as all the other systems. I tried to give it a route for 10.125.1.x/24 to the DFG but no go.

Here is some tcpdump on the 10.125.1.16 system:

16:56:51.562790 IP 192.168.101.197.47832 > 10.125.1.16.https: Flags [S], seq 3213937478, win 1024, options [mss 1293], length 0
16:56:51.562790 IP 192.168.101.197.47832 > 10.125.1.16.5900: Flags [S], seq 3213937478, win 1024, options [mss 1293], length 0
16:56:51.562842 IP 10.125.1.16.https > 192.168.101.197.47832: Flags [R.], seq 0, ack 3213937479, win 0, length 0
16:56:51.562873 IP 10.125.1.16.5900 > 192.168.101.197.47832: Flags [R.], seq 0, ack 3213937479, win 0, length 0
16:56:51.562888 IP 192.168.101.197.47832 > 10.125.1.16.mysql: Flags [S], seq 3213937478, win 1024, options [mss 1293], length 0
16:56:51.562900 IP 10.125.1.16.mysql > 192.168.101.197.47832: Flags [R.], seq 0, ack 3213937479, win 0, length 0
16:56:51.562914 IP 192.168.101.197.47832 > 10.125.1.16.1723: Flags [S], seq 3213937478, win 1024, options [mss 1293], length 0

So looks like the traffic is going to the system but its not sending it back??

Again, thanks for the response and appreciate anything you can do to help.

stephenw10

Well in that pcap it's just responding to Syn with Reset so it's refusing the connection anyway.

What interface is it using for replies though? How does in the state table?

Check the MAC address replies from the DC is using as destination. Is it actually sending them to the correct gateway to go back over the VPN?

What does the routing table on the DC look like?