Project

General

Profile

Actions

Bug #7779

open

Traffic crossing a site-to-site OpenVPN tunnel fails to fragment.

Added by Steve Wheeler over 7 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
08/16/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

In some circumstances traffic crossing an OpenVPN site-to-site tunnel with packets larger that the local network MTU can fail to fragment correctly leaving the local interface.

Traffic is fragmented correctly crossing the tunnel in either direction so if you hit this issue you will be able to, for example, ping with large packets a remote pfSense LAN interface IP but not anything else on that LAN subnet.

A work-around for this issue is to assign and enable the OpenVPN interface at the failing end. After that pf will add rules to that traffic and fragment packets correctly.


Related issues

Related to Bug #7801: UDP fragments received over IPsec tunnel are not properly reassembled and forwardedClosedViktor Gurov08/22/2017

Actions
Actions #1

Updated by Steve Wheeler over 7 years ago

Example, ticket 23040

Actions #2

Updated by Rajko Ray Bogdanovic over 7 years ago

Steve Wheeler wrote:

In some circumstances traffic crossing an OpenVPN site-to-site tunnel with packets larger that the local network MTU can fail to fragment correctly leaving the local interface.

Traffic is fragmented correctly crossing the tunnel in either direction so if you hit this issue you will be able to, for example, ping with large packets a remote pfSense LAN interface IP but not anything else on that LAN subnet.

A work-around for this issue is to assign and enable the OpenVPN interface at the failing end. After that pf will add rules to that traffic and fragment packets correctly.

Hi Steve,

It seems that problem goes beyond OpenVPN. With disabled Open VPN and enabled direct routing MTU problem still exist on pfsense firewall that were installed with version prior to 2.3.3 and then were upgraded to last ver.

Workaround it seems worked in lab, but did not in production.

Ping probes from inside interface toward remote site were delivered fine and replied, but when packet is sent from system connected to pfsense, packets with mtu over 1470 get dropped.

Actions #3

Updated by Steve Wheeler about 7 years ago

We were able to disprove the situation with OpenVPN disabled. The initial description still holds.

Actions #4

Updated by Viktor Gurov over 3 years ago

see also #7801

Actions #5

Updated by Viktor Gurov almost 3 years ago

  • Related to Bug #7801: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded added
Actions

Also available in: Atom PDF