From owner-freebsd-net@FreeBSD.ORG Wed Jul 20 20:15:06 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48CDA106566B for ; Wed, 20 Jul 2011 20:15:06 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1]) by mx1.freebsd.org (Postfix) with ESMTP id DC5248FC0C for ; Wed, 20 Jul 2011 20:15:05 +0000 (UTC) Received: from gjp by noop.in-addr.com with local (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QjdAc-000GTe-DA; Wed, 20 Jul 2011 16:15:02 -0400 Date: Wed, 20 Jul 2011 16:15:02 -0400 From: Gary Palmer To: Paul Keusemann Message-ID: <20110720201502.GA37199@in-addr.com> References: <4E159C5A.5090702@visi.com> <13D65A4C-F874-4970-A070-AA0392416680@mac.com> <4E1C9FEA.2080608@visi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E1C9FEA.2080608@visi.com> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-net@freebsd.org Subject: Re: Debugging dropped shell connections over a VPN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 20:15:06 -0000 On Tue, Jul 12, 2011 at 02:26:34PM -0500, Paul Keusemann wrote: > On 07/07/11 14:39, Chuck Swiger wrote: > >On Jul 7, 2011, at 4:45 AM, Paul Keusemann wrote: > >>My setup is something like this: > >>- My local network is a mix of AIX, HP-UX, Linux, FreeBSD and Solaris > >>machines running various OS versions. > >>- My gateway / firewall machine is running FreeBSD-8.1-RELEASE-p1 with > >>ipfw, nat and racoon for the firewall and VPN. > >> > >>The problem is that rlogin, ssh and telnet connections over the VPN get > >>dropped after some period of inactivity. > >You're probably getting NAT timeouts against the VPN connection if it is > >left idle. racoon ought to have a config setting called natt_keepalive > >which sends periodic keepalives-- see whether that's disabled. > > > >Regards, > > Thanks for the suggestions Chuck, sorry it's taken so long to respond > but I had to reconfigure and rebuild my kernel to enable IPSEC_NAT_T in > order to try this out. > > One thing that I did not explicitly mention before is that I am routing > a network over the VPN. Hi Paul, Even if you are not being NAT'd on the VPN there may be a firewall (or other active network component like a load balancer) with an overflowing state table somewhere at the remote end. We see this frequently where I work with customer networks and the firewall/VPN/network admin denies that its a time out issue so there is likely some device in the network that has a state table and if the connection is idle for a few minutes it gets dropped. Regards, Gary