Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DFS replication problem - IPsec VPN

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dan_robinson
      last edited by

      Hi,
      I'm having an issue with DFS replication over a IPSec VPN.
      I have two servers, one based in the UK and one in the USA.
      I'm replicating a folder with 150GB of data.  The staging folder is set to 20GB.
      I keep getting error 5014 (1726) every 10-15minutes.  This error relates to a RPC.
      There are errors DFS debug log;
      20130813 20:24:49.389 3284 MEET  1417 Meet::Install -> WAIT Error processing update. updateName:demos-embeddeddialogs-customproxy-h.html uid:{58883830-704E-4629-BDD2-B3367E463D2D}-v2736922 gvsn:{58883830-704E-4629-BDD2-B3367E463D2D}-v2736922 connId:{516FCE4B-5140-45B9-B89C-9B3C61A4777A} csName:Shared csId:{619F8245-914F-44E8-9635-E3C5F4281166} code:1726 Error:

      • [Error:9027(0x2343) Meet::InstallStep meet.cpp:1880 3284 C A failure was reported by the remote partner]
      • [Error:9027(0x2343) Meet::Download meet.cpp:2297 3284 C A failure was reported by the remote partner]
      • [Error:9027(0x2343) InConnection::TransportRdcGet inconnection.cpp:4423 3284 C A failure was reported by the remote partner]
      • [Error:9027(0x2343) DownstreamTransport::RdcGet downstreamtransport.cpp:5261 3284 C A failure was reported by the remote partner]
      • [Error:9027(0x2343) RpcFinalizeContext downstreamtransport.cpp:1147 3284 C A failure was reported by the remote partner]
      • [Error:9027(0x2343) DownstreamTransport::RdcGet downstreamtransport.cpp:5191 3284 C A failure was reported by the remote partner]
      • [Error:1726(0x6be) DownstreamTransport::RdcGet downstreamtransport.cpp:5191 3284 W The remote procedure call failed.]
        I personally feel its either a MTU (or some network setting) or filewall.
        On both sides of the pond we have a pfSense box.  The VPN is IPsec based
        The IPsec firewall rules are set to allow any traffic anyway.  All normal network traffic over the VPN seems to work as expected.
        Both of the DFS servers are also domain controllers and DNS servers.  These seem to be working and AD is replicating.
        I've setup a third DFS server based in the UK and added it to the replication group and this replicates fine with the UK dfs server.
        Now on the pFsense based in the USA we do see lots of the blocked connections from the two DFS servers yet all of the firewall rules work.  Also i should some data is replicating but its very slow and only lasts about 10 minutes before resetting.

      The IPsec firewall rule is the default allow all.

      pFsense blocked messages (The rule that triggered all of these actions is:@2 block drop out log all label "Default deny rule")

      block
      Aug 14 14:54:26 enc0   172.20.1.3:64399   10.1.0.10:62844 TCP:A
      block
      Aug 14 14:54:26 enc0   172.20.1.3:64460   10.1.0.10:62844 TCP:A
      block
      Aug 14 14:54:26 enc0   172.20.1.3:64459   10.1.0.10:62844 TCP:A
      block
      Aug 14 14:54:26 enc0   172.20.1.3:64456   10.1.0.10:62844 TCP:A
      block
      Aug 14 14:54:26 enc0   172.20.1.3:64402   10.1.0.10:62844 TCP:A
      block
      Aug 14 14:54:26 enc0   172.20.1.3:64465 > 10   10.1.0.10:62844 TCP:A
      block
      Aug 14 14:54:27 enc0   172.20.1.3:64464   10.1.0.10:62844 TCP:A

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        @dan_robinson:

        Now on the pFsense based in the USA we do see lots of the blocked connections from the two DFS servers yet all of the firewall rules work.  Also i should some data is replicating but its very slow and only lasts about 10 minutes before resetting.

        It's probably just a temporary wiretapping glitch. I'm sure NSA/DHS will boost their servers' capacity soonish, no worries.

        1 Reply Last reply Reply Quote 0
        • D
          dan_robinson
          last edited by

          Haha you could be right.

          So after a lot of changing over the last few days I think i've found a fix.  I had tried setting the "Enable MSS clamping on VPN traffic" a few days ago but it didnt work using the default 1400 value.
          I've just changed it to 1370 on both pfsense boxes and its working!!

          Can some explain to be why 1370 worked and why 1400 wouldnt?  Is it just a case that a router between the two sites doesn't support a MTU of 1400?

          Thanks,
          Daniel

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.