[SOLVED] openvpn site 2 site after upgrade from 2.0.3 to 2.1 - NAT ISSUE



  • This is a post for whoever has to debug some strange behaviour after updating to 2.1

    After updating to 2.1 i've noticed that my DFS (distributed file system | ms 2008 server) started giving errors:
    (they showed up on random times, sometimes twice a minute, sometimes 10 minutes apart)

    The DFS Replication service is stopping communication with partner XXXX for replication group domain.lan\dfs_shares\share due to an error. The service will retry the connection periodically. 
    
    Additional Information: 
    Error: 1726 (The remote procedure call failed.) 
    
    
    The DFS Replication service successfully established an inbound connection with partner XXXX for replication group domain.lan\dfs_shares\share 
    
    Additional Information: 
    Connection Address Used: DC.domain.lan 
    
    

    I didn't immediatly figure out what was wrong. My network monitoring system didn't show any high latency warnings on the openvpn, nor did my pings show any packet loss. I could rdp/ping/smb from both ends without any issues whatsoever.
    In short: I couldn't find any problems with the connection until:

    On SITE-A i couldn't find anything suspicious in the firewall-logs.
    On SITE-B i found tons of blocked entries in the logs:

    The rule that triggered this action is:
    
    @5 scrub on ovpnc4 all fragment reassemble
    @5 block drop in log inet all label "Default deny rule IPv4"
    

    Tons of TCP:A and TCP:RA from DC-A –> DC-B

    After a while i started looking into outbound-NAT. For whatever reason the upgrade caused AON to create outbound nat rules for ALL my openvpn-interfaces. ( I have interfaces assigned to the openvpn tunnels).
    I turned off AON on both pfsense devices and went to manual ; i removed all openvpn-related NAT entries and the problem went away.

    I hope it helps someone in the future.

    Jeroen