Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [SOLVED] openvpn site 2 site after upgrade from 2.0.3 to 2.1 - NAT ISSUE

    Routing and Multi WAN
    1
    1
    1679
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heper last edited by

      This is a post for whoever has to debug some strange behaviour after updating to 2.1

      After updating to 2.1 i've noticed that my DFS (distributed file system | ms 2008 server) started giving errors:
      (they showed up on random times, sometimes twice a minute, sometimes 10 minutes apart)

      The DFS Replication service is stopping communication with partner XXXX for replication group domain.lan\dfs_shares\share due to an error. The service will retry the connection periodically. 
      
      Additional Information: 
      Error: 1726 (The remote procedure call failed.) 
      
      
      The DFS Replication service successfully established an inbound connection with partner XXXX for replication group domain.lan\dfs_shares\share 
      
      Additional Information: 
      Connection Address Used: DC.domain.lan 
      
      

      I didn't immediatly figure out what was wrong. My network monitoring system didn't show any high latency warnings on the openvpn, nor did my pings show any packet loss. I could rdp/ping/smb from both ends without any issues whatsoever.
      In short: I couldn't find any problems with the connection until:

      On SITE-A i couldn't find anything suspicious in the firewall-logs.
      On SITE-B i found tons of blocked entries in the logs:

      The rule that triggered this action is:
      
      @5 scrub on ovpnc4 all fragment reassemble
      @5 block drop in log inet all label "Default deny rule IPv4"
      

      Tons of TCP:A and TCP:RA from DC-A –> DC-B

      After a while i started looking into outbound-NAT. For whatever reason the upgrade caused AON to create outbound nat rules for ALL my openvpn-interfaces. ( I have interfaces assigned to the openvpn tunnels).
      I turned off AON on both pfsense devices and went to manual ; i removed all openvpn-related NAT entries and the problem went away.

      I hope it helps someone in the future.

      Jeroen

      1 Reply Last reply Reply Quote 0
      • First post
        Last post