[SOLVED] openvpn site 2 site after upgrade from 2.0.3 to 2.1 - NAT ISSUE
-
This is a post for whoever has to debug some strange behaviour after updating to 2.1
After updating to 2.1 i've noticed that my DFS (distributed file system | ms 2008 server) started giving errors:
(they showed up on random times, sometimes twice a minute, sometimes 10 minutes apart)The DFS Replication service is stopping communication with partner XXXX for replication group domain.lan\dfs_shares\share due to an error. The service will retry the connection periodically. Additional Information: Error: 1726 (The remote procedure call failed.)The DFS Replication service successfully established an inbound connection with partner XXXX for replication group domain.lan\dfs_shares\share Additional Information: Connection Address Used: DC.domain.lanI didn't immediatly figure out what was wrong. My network monitoring system didn't show any high latency warnings on the openvpn, nor did my pings show any packet loss. I could rdp/ping/smb from both ends without any issues whatsoever.
In short: I couldn't find any problems with the connection until:On SITE-A i couldn't find anything suspicious in the firewall-logs.
On SITE-B i found tons of blocked entries in the logs:The rule that triggered this action is: @5 scrub on ovpnc4 all fragment reassemble @5 block drop in log inet all label "Default deny rule IPv4"Tons of TCP:A and TCP:RA from DC-A –> DC-B
After a while i started looking into outbound-NAT. For whatever reason the upgrade caused AON to create outbound nat rules for ALL my openvpn-interfaces. ( I have interfaces assigned to the openvpn tunnels).
I turned off AON on both pfsense devices and went to manual ; i removed all openvpn-related NAT entries and the problem went away.I hope it helps someone in the future.
Jeroen