DFS replication problem - IPsec VPN

dan_robinson

Hi,
I'm having an issue with DFS replication over a IPSec VPN.
I have two servers, one based in the UK and one in the USA.
I'm replicating a folder with 150GB of data.  The staging folder is set to 20GB.
I keep getting error 5014 (1726) every 10-15minutes.  This error relates to a RPC.
There are errors DFS debug log;
20130813 20:24:49.389 3284 MEET  1417 Meet::Install -> WAIT Error processing update. updateName:demos-embeddeddialogs-customproxy-h.html uid:{58883830-704E-4629-BDD2-B3367E463D2D}-v2736922 gvsn:{58883830-704E-4629-BDD2-B3367E463D2D}-v2736922 connId:{516FCE4B-5140-45B9-B89C-9B3C61A4777A} csName:Shared csId:{619F8245-914F-44E8-9635-E3C5F4281166} code:1726 Error:

• [Error:9027(0x2343) Meet::InstallStep meet.cpp:1880 3284 C A failure was reported by the remote partner]
• [Error:9027(0x2343) Meet::Download meet.cpp:2297 3284 C A failure was reported by the remote partner]
• [Error:9027(0x2343) InConnection::TransportRdcGet inconnection.cpp:4423 3284 C A failure was reported by the remote partner]
• [Error:9027(0x2343) DownstreamTransport::RdcGet downstreamtransport.cpp:5261 3284 C A failure was reported by the remote partner]
• [Error:9027(0x2343) RpcFinalizeContext downstreamtransport.cpp:1147 3284 C A failure was reported by the remote partner]
• [Error:9027(0x2343) DownstreamTransport::RdcGet downstreamtransport.cpp:5191 3284 C A failure was reported by the remote partner]
• [Error:1726(0x6be) DownstreamTransport::RdcGet downstreamtransport.cpp:5191 3284 W The remote procedure call failed.]
  I personally feel its either a MTU (or some network setting) or filewall.
  On both sides of the pond we have a pfSense box.  The VPN is IPsec based
  The IPsec firewall rules are set to allow any traffic anyway.  All normal network traffic over the VPN seems to work as expected.
  Both of the DFS servers are also domain controllers and DNS servers.  These seem to be working and AD is replicating.
  I've setup a third DFS server based in the UK and added it to the replication group and this replicates fine with the UK dfs server.
  Now on the pFsense based in the USA we do see lots of the blocked connections from the two DFS servers yet all of the firewall rules work.  Also i should some data is replicating but its very slow and only lasts about 10 minutes before resetting.

The IPsec firewall rule is the default allow all.

pFsense blocked messages (The rule that triggered all of these actions is:@2 block drop out log all label "Default deny rule")

block
Aug 14 14:54:26 enc0   172.20.1.3:64399   10.1.0.10:62844 TCP:A
block
Aug 14 14:54:26 enc0   172.20.1.3:64460   10.1.0.10:62844 TCP:A
block
Aug 14 14:54:26 enc0   172.20.1.3:64459   10.1.0.10:62844 TCP:A
block
Aug 14 14:54:26 enc0   172.20.1.3:64456   10.1.0.10:62844 TCP:A
block
Aug 14 14:54:26 enc0   172.20.1.3:64402   10.1.0.10:62844 TCP:A
block
Aug 14 14:54:26 enc0   172.20.1.3:64465 > 10   10.1.0.10:62844 TCP:A
block
Aug 14 14:54:27 enc0   172.20.1.3:64464   10.1.0.10:62844 TCP:A

doktornotor

@dan_robinson:

Now on the pFsense based in the USA we do see lots of the blocked connections from the two DFS servers yet all of the firewall rules work.  Also i should some data is replicating but its very slow and only lasts about 10 minutes before resetting.

It's probably just a temporary wiretapping glitch. I'm sure NSA/DHS will boost their servers' capacity soonish, no worries.

dan_robinson

Haha you could be right.

So after a lot of changing over the last few days I think i've found a fix.  I had tried setting the "Enable MSS clamping on VPN traffic" a few days ago but it didnt work using the default 1400 value.
I've just changed it to 1370 on both pfsense boxes and its working!!

Can some explain to be why 1370 worked and why 1400 wouldnt?  Is it just a case that a router between the two sites doesn't support a MTU of 1400?

Thanks,
Daniel