Openvpn strange problem, was ok but now its not



  • Hi I have followed all the guides to make ovpn work, and it used to work woderful, we deployed a site to site, but recently we have noticed something very strange all pcs are pingable and they are ok, however when we try to access any services within the other lan from our lan we cannot, also I used to access the pfsense web interface of the other lan, however I cannot now, the only changes I made to our main pfsense is we added two extra nic (gigabits) and it has made an interface reset and I assigned the lan to our new nic and the certificates generated were kept as it is, is this a possible cause??? keep in mind the vpn was working.



  • that's not enough info to go on …

    If you say that all the pc's are pingable from both ends of the tunnel, then i would consider that the tunnel is working and the routes are set correctly.
    If certain services do not work, then perhaps this is a firewall issue. Meaning that you should check the firewall rules that relate to the vpn.

    re-assigning interfaces might have moved the firewall rules for openvpn to another interface ?

    Note that this is all speculation and that we'd need more details (screenshots) for us to debug the situation



  • thanks for the update, i have checked firewall on both ends and all is allow, and the most strange of all is that vnc works between both lans but its taking at least 25 seconds to initiate, before it was 5 secs.
    i have look everywhere, the only major thing i have done is adding interfaces and re-assigning lan/wan to another interface. I can still send u screenshot if this helps, but from which side you want and what exactly shall i take .
    quick note: is this mtu issue??????
    or isit the new interface added like here http://forum.pfsense.org/index.php/topic,35609.0.html



  • here is an update,
    Ive noticed that if I disconnect the wan and reconnect the wan, then when the open vpn session starts between both sites I make a quick session to the other lan then it will stay stable for the next restart, otherwise it remains pingable but not accessible.
    strange but true.



  • hello there???
    no reply from anyone, can you pls help?



  • Happy to help, but it is difficult to think what might be wrong.
    You can ping from LAN1-PC <-> pfSense1 <-OpenVPN->pfSense2<->LAN2-PC
    i.e. an end-to-end ping from LAN1-PC to LAN2-PC works.
    That means that your ordinary routing is fine. And your firewall rules are allowing the traffic with the LAN1 and LAN2 IP addresses.
    To stop other TCP and UDP traffic from working also, you would have to have some unusual rules - e.g. rules that only allow ICMP traffic, or rules that direct TCP and UDP away into some other gateway group (so ICMP routes OK but TCP and UDP do not). or???
    And from your post there are some times when it works OK for a short time.
    Maybe give an overview of your network with the private IPs you are using, type of VPN connect (shared-key or SSL/TLS), rules… and we can see if we can spot something interesting and unusual.



  • Thanks for the reply.
    main lan 10.10.10.X <->pfsense 2.2 <->ovpn (certificates based) <->pfsense 2.2 <-> branch1 lan 192.168.70.X
    I can always ping to the branch1 form main lan. however sometimes I cannot even load the std pfsense web page on the branch1.
    what I have discovered is the following:

    1. I have aded extra interfaces which caused the inteface reset, but brought it back.

    2. the isp changed the adsl setting on the main lan. (does this have any effect??? mtu??? or anything else???) keep in mind im using netgear modem in bridge mode. the current adsl mtu for the isp is 1492

    3. the only way to get it working is disconect wan and connect wan and immediately try to create a session to branch1 (im doing it via vnc session) and keep it for few min.

    4. I have ovpn connecting to at least 6 other pfsense gateways.

    5. sample ovpn log: Mar 16 18:07:13 openvpn[5800]: XXX-client-1/94.96.36.XXX:59627 send_push_reply(): safe_cap=960
    Mar 16 18:07:11 openvpn[5800]: MULTI_sva: pool returned IPv4=10.0.99.6, IPv6=::
    Mar 16 18:07:11 openvpn[5800]: 94.96.36.XXX:59627 [lbg-client-1] Peer Connection Initiated with [AF_INET]94.96.36.XXX:59627
    Mar 16 18:07:08 openvpn[5800]: 94.96.36.XXX:59627 Re-using SSL/TLS context
    Mar 16 14:17:51 openvpn[21536]: XXX-client-6/5.82.84.XX:46334 send_push_reply(): safe_cap=960

    does anything here ring a bell??



  • Guys, the issue is still there, and I really want to find a clue.
    Ive tried reducing the mtu from 1500 to 1492 it worked for a month then now its not working.
    can someone pls help?



  • here is a strange thing I discovered just now, From my HQ server I cannot access branches despite I can ping them.
    from branches to my HQ I can ping and also access any pc on the HQ subnet.
    Im going crazy but this is what I have here.



  • Guys any clue??
    is this a typical mtu issue??
    now what I did is that I reduced the mtu size on my wan interface. still the same issue. can anyone help if I need to reduce the mtu on the tunnel level?



  • I posted my experience recently: http://forum.pfsense.org/index.php/topic,67080.0.html
    Might be of some help to you in testing and tweaking.



  • Found a fix at last, and would like to share it with you.
    it turns out that the ISP has changed some of their backbone routers. & I ended up doing this.
    1. add mtu-test command in the advanced box of the Main OVPN Server.
    2. check the logs of ovpn.
    3. verify whats the local/remote mtu value
    4. add the following to both local & remote (in advanced box)

    fragment 1400;
    mssfix;