Bug #1543
closed
2 Different Simultaneous OpenVPN Clients - Packet Loss
0%
Description
2.0-RC2 (i386) (NANOBSD)
built on Sun May 15 04:00:16 EDT 2011
I'm using a recent build, and I have 2 simultaneous OpenVPN connections running with outbound NAT on both.
Both client instances of openvpn start, and both initiate tunnels just fine. Routing is setup correctly from all PUSH options from the different openvpn servers. The subnets do not collide (10.0.0.0/8 and 192.168.2.0/24), the internal subnet that is handled by the pfsense box is 192.168.0.0/23.
From what I can tell the NAT rules are established correctly for both openvpn connections, since I can get some pings back. When I ping a host on Tunnel A from the internal network, the first pings will come through fine in succession, with no packet loss and will continue for the duration of the running ping command (on Linux and on OSX), the second time I run the command (after stopping the first running ping) no pings come through for the duration of the running command. If I start and stop the command or just loop sending 1 ICMP packet I see a round robin behavior of packet loss. This also happens to any hosts on Tunnel B.
If I disable (in the GUI) one of the openvpn clients, this behavior still exists. Its not until I disable BOTH client instances and enable only one of them that all packets continue through 100% of the time.
Can I provide any more debugging?
Files
| openc1.pcap (1.45 KB) openc1.pcap | |||
| openc2.pcap (1.75 KB) openc2.pcap | |||
| Screen_shot_2011-05-19_at_1.24.12_PM.png (62.4 KB) Screen_shot_2011-05-19_at_1.24.12_PM.png |
Updated by Jim Pingle almost 14 years ago
Do you have both of these OpenVPN interfaces assigned as OPT interfaces?
Seeing your full config might be helpful.
Also packet captures from both OpenVPN interfaces when you are seeing this behavior.
Updated by K Mullin almost 14 years ago
I've tried assigning both OpenVPN instances to an OPT interfaces, this does not seem to have any effect.
Which config would you like to see?
Also, getting 500 error from RedMine trying to attach any file... the tcpdumps clearly show round robin behavior.
Updated by Jim Pingle almost 14 years ago
Uploads to here should be fixed. It would be helpful to see exactly how your outbound NAT rule(s) are configured.
You should try to assign both OpenVPN interfaces as OPT interfaces and make sure your outbound NAT rules are crafted such that the proper rules are set on both interfaces there. So you'd have one rule per assigned OpenVPN interface, and not using the 'openvpn' choice in the interface field.
If that works there may be an issue with that 'openvpn' choice and outbound NAT.
Updated by K Mullin almost 14 years ago
- File openc1.pcap openc1.pcap added
- File openc2.pcap openc2.pcap added
- File Screen_shot_2011-05-19_at_1.24.12_PM.png Screen_shot_2011-05-19_at_1.24.12_PM.png added
Attached are original tcpdumps of a few ICMP packets. As well as a screenshot of the Outbound NAT rules.
I have tried individual Outbound NAT rules for each OPT interface, this actually doesn't work even with a single OPT interface and a single openVPN client.
Updated by K Mullin almost 14 years ago
K Mullin wrote:
I have tried individual Outbound NAT rules for each OPT interface, this actually doesn't work even with a single OPT interface and a single openVPN client.
Actually, scratch that. I your suggestion worked. Apparently you need to "enable" the OPT interfaces after "assigning" them to the openvpn client.
Both tunnels are now up, with 0 packet loss through either.
Is there anything else I can provide for testing/debugging while I have this setup?
Updated by 