iperf3 issue over IPsec (VTI mode)
-
I am experiencing an issue where I can only run iperf from B (client) to A (server) not A (client) to B (server). I found a similar issue here with the difference the user complaints of a low bitrate whereas mine is inexistent.
From B to A:
Connecting to host 10.254.0.1, port 5201 [ 5] local 10.254.0.2 port 33407 connected to 10.254.0.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.12 sec 12.6 MBytes 94.8 Mbits/sec 0 1.60 MBytes [ 5] 1.12-2.01 sec 14.9 MBytes 139 Mbits/sec 0 2.00 MBytes [ 5] 2.01-3.02 sec 16.1 MBytes 135 Mbits/sec 1 1.09 MBytes [ 5] 3.02-4.01 sec 16.0 MBytes 135 Mbits/sec 0 1.19 MBytes [ 5] 4.01-5.01 sec 16.5 MBytes 139 Mbits/sec 0 1.26 MBytes [ 5] 5.01-6.02 sec 15.9 MBytes 132 Mbits/sec 0 1.32 MBytes [ 5] 6.02-7.01 sec 16.5 MBytes 140 Mbits/sec 0 1.35 MBytes [ 5] 7.01-8.02 sec 16.5 MBytes 137 Mbits/sec 0 1.38 MBytes [ 5] 8.02-9.01 sec 16.2 MBytes 138 Mbits/sec 0 1.39 MBytes [ 5] 9.01-10.01 sec 17.1 MBytes 143 Mbits/sec 0 1.40 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.01 sec 158 MBytes 133 Mbits/sec 1 sender [ 5] 0.00-10.06 sec 158 MBytes 132 Mbits/sec receiver iperf Done.However, on the other way around, from A (client) to B (server):
Connecting to host 10.254.0.2, port 5201 [ 5] local 10.254.0.1 port 1618 connected to 10.254.0.2 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 0.00 Bytes 0.00 bits/sec 2 1.32 KBytes [ 5] 1.00-2.00 sec 0.00 Bytes 0.00 bits/sec 2 1.32 KBytes [ 5] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec 1 1.32 KBytes [ 5] 3.00-4.01 sec 0.00 Bytes 0.00 bits/sec 0 1.32 KBytes [ 5] 4.01-5.00 sec 0.00 Bytes 0.00 bits/sec 0 1.32 KBytes [ 5] 5.00-6.00 sec 0.00 Bytes 0.00 bits/sec 1 1.32 KBytes [ 5] 6.00-7.03 sec 0.00 Bytes 0.00 bits/sec 0 1.32 KBytes [ 5] 7.03-8.00 sec 0.00 Bytes 0.00 bits/sec 0 1.32 KBytes [ 5] 8.00-9.01 sec 0.00 Bytes 0.00 bits/sec 0 1.32 KBytes [ 5] 9.01-10.00 sec 0.00 Bytes 0.00 bits/sec 1 1.32 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 0.00 Bytes 0.00 bits/sec 7 sender [ 5] 0.00-10.05 sec 0.00 Bytes 0.00 bits/sec receiver iperf Done.Firewall rules are identical on both sides, allowing ipv4 all protocols. Traffic on all accounts works exactly as supposed both ways over the tunnel. From A (client) to B (server) is the test I need on iperf. Any ideas?
-
@maverickws I was having a similar issue recently and the solution was to apply the patches related to IPSec (Redmine #15449, 154430 and 15606).
Which pfsense version are you on? -
@Gblenn thanks for stopping by.
So on the B side I have a development snapshot of 24.08.
Side A has 24.03 with all patches installed. Double checked and the mentioned fixes:- Fix IPsec VTI static routes not being added after boot (After applying, edit and save affected IPsec tunnels or reboot., Redmine #15449)
- Automatically use floating states for IPsec rules (After applying, reload the filter or reboot., Redmine #15430)
- Automatically use floating states on IPsec VTI (After applying, reload the filter or reboot., Redmine #15606)
Are applied. I also believe these are already merged in the 24.08 snapshot
-
@maverickws Yepp, it is that set of patches that I applied which resolved the issue for me. But now that I checked my thread on the issue I had, it was slightly different. I had timeout in one direction and very low (kbit range) in the other.
https://forum.netgate.com/topic/190089/i-can-ping-both-directions-but-only-access-servers-one-wayCould it be that you have something else blocking on site B? Like Suricata perhaps?
-
@Gblenn Actually site B has minimal services, no suricate, snort pfblocker or anything else installed.
I'm clueless.
