Traffic flows only from one side

marzl

Hi,

We have a strange Problem here with our IPSEC connection from pfSense to pfSense.

172.18.18.0/24 LAN <-> pfsense A <-> WAN <-> pfSense B <-> LAN 172.16.16.0/24

A: WRAP pfSense v1.01
B: WRAP pfSense v1.0RC3 (very busy Box, no chance to upgrade until yet)
Traffic from (A) to (B) is running fine, but the traffic from (B) to (A) stops after a specific amount of data (ex: scp stops at 132KB).

We played around with MTU, but nothing helps.
The problem looks pretty nearly exactly like this thread (http://forum.pfsense.org/index.php/topic,963.0.html),
but we do not have any D-Link, pure pfSense :)

I do not have any idea, could some light a fire for me, pls? :)

Greetings,
Marcel

hoba

Sorry to say it but you HAVE to find time to upgrade. Newer versions of pfSense run a newer FreeBSD and even newer IPSECTOOLS. Not to mention that thousends of lines of codes have changed. Try the latest snapshot (it has IPSEC filtering now too, so you might have to create pass any rules at firewall>rules, ipsec after upgrading though we usually install them on upgrade from older versions that didn't have that feature automatically).

Searching for a bug in this config is like riding a dead horse as the bug might already be solved.

marzl

You are right, we will upgrade tommorrow evening.
Basicly this was the answer i want to hear :)

Since we are running 1.0.1 on A, isn't it a bad idea to upgrade B to the latest snapshot?
Upgrading A too is impossable because of 500 km between me and B ….

Greets and thanks for your prompt response!

hoba

You can try upgrading the one end first. As you have 2 wraps you could probably prepare a cf card with the new image and upload the remote end's config. Then send it over so it's just a plug'n'play action to upgrade and you even can revert back if things for whatever reason break.

marzl

Ok, some News: We have upgraded the RC3 to 1.0.1. Konfiguration was successfully imported and works great.
But there are still some strange behaviors. Example:
Copy a file via SCP from B to A works well, but vice versa it stop at 132 KB.
But a copy from B to A between Windows 2003 Server works. XP not.

Is this a matter of MTU? Where? Wich MTU has to be modified if it goes that way?
Do you need additional informations from me? Any other idea?

hoba

Try using smaller mtu's at interface>WAN at both ends. Start somewhere at 1300 and see if it works. If it does go up in steps until it breaks again and then go back one step.

marzl

Unfortunately this doesnt help that much. I lowered the MTU on both sides to 1300 but the problem still exists.

Maybe this is important:
The WAN connections on both sides are fixed IP Adresses connected to somewhat transparent routers from the ISPs.
We dont use PPPoE over her. Maybe the MTU have to be modified on this machines instead?

hoba

Shouldn't be a problem. If you only sent out 1300 size the routers/bridges in front won't inflate the packages to a larger size. Atm I have no other clues, sorry  :-\

marzl

May i ask you if this is correct?
Client (MTU 1500) -> LAN (MTU 1500) -> IPSEC -> WAN (MTU 1300) -> INET <- WAN (MTU 1300) <- IPSEC <- LAN (MTU 1500) <- Client (MTU 1500)