Traffic Stop on IPSec Connectin

siri69

I have running now an IP-Sec tunnel to company,
but there seems some problems when transfering much data…

When I view a very long website from company internet the web page is transfered half and then nothing happend... I can do reload and it will go on but only to the same line, not complet...
also from different computers behind pfsense.

Also when do Remote Desktop Connection and transfering and view a big grafik the transfer stop and remote console hang. Disconet and reconnect will go on.

can this a problem of different MTUs ?? Or problem with Coding Engine?

I try with ping -f -l 1472 is ok, 1473 will be fragmented. The D-Link router is default set for IPSec tp 1424, did not find in pfSense a MTU setting for this.

run it with E1000 and now with the Default Network from VMWare Server on both the same.

sullrich

Try checking System -> Advanced -> Prefer old IPsec SAs

siri69

Set this, nothing changed.
Also try the DF-Switch.

The transfer stop only in one Direction ipsec-Company-LAN -> pfsene LAN when I upload a file via FTP to company it will work.
It seems that it stop allways on the same position… 76KByte with FTP, 107 with HTTP

realy strange.

Try it also again with GSX Server and old 10MBit LAN Cards.
Also with Last Snapshot from 4.2.2006 allways the same.
In the Logfiles is nothing special reportetd at this moment

ftstop1.jpg_thumb

hoba

Check the others end logs, it might be an issue of the dlink.

siri69

In D-Link logs also no special happend at this moment.
Have also changed the coding from DES3 to AES but also the same.
When Data should be slow transfered it seems ok only when downloas something…
at the same time i can eg. view in an other session via remote console the logfile from d-link... so connection is not broken.

normal WAN downloads are whitout prob possibel.
and also Uploads to via IPSec.

Have also dissabeld trafic shaping rules... nothing :-(

siri69

Problem ist the default MTU Setting from D-Link DFL-1100.

after change the MTU from 1424 to 1472 Filetransfer and also intranet websites will work now.

http://forum.pfsense.org/index.php?topic=927.msg5562#msg5562

Why MTU 1472 ? I try on a workstation behind pfsense to ping a workstation behind the D-Link.

ping 172.16.170.8 -f -l 1472

Ping wird ausgeführt für 172.16.170.8 mit 1472 Bytes Daten:

Antwort von 172.16.170.8: Bytes=1472 Zeit=47ms TTL=126
Antwort von 172.16.170.8: Bytes=1472 Zeit=48ms TTL=126

ping 172.16.180.8 -f -l 1473

Ping wird ausgeführt für 172.16.180.8 mit 1473 Bytes Daten:

Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt.
Paket müsste fragmentiert werden, DF-Flag ist jedoch gesetzt.

Ping-Statistik für 172.16.180.8:
Pakete: Gesendet = 2, Empfangen = 0, Verloren = 2 (100% Verlust),