From owner-freebsd-net@FreeBSD.ORG Sat Oct 22 23:40:58 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79B4216A41F for ; Sat, 22 Oct 2005 23:40:58 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9746C43D45 for ; Sat, 22 Oct 2005 23:40:57 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C5CC.dip.t-dialin.net [84.163.197.204] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1ETSyh2HWl-0008BF; Sun, 23 Oct 2005 01:40:43 +0200 From: Max Laier To: freebsd-net@freebsd.org Date: Sun, 23 Oct 2005 01:40:27 +0200 User-Agent: KMail/1.8.2 References: <435A5D9B.7080309@vwsoft.com> <435A900C.3060602@roq.com> <435AD808.1030701@vwsoft.com> In-Reply-To: <435AD808.1030701@vwsoft.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart56501954.DhmgN6n76d"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510230140.42154.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Volker , Michael VInce Subject: Re: IPSec tcp session stalling X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2005 23:40:58 -0000 --nextPart56501954.DhmgN6n76d Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline To try something else: Could you guys try to disable SACK on the machines=20 involved? I haven't looked at the dumps as of yet, but that's one simple=20 test that might help to identify the problem. sysctl net.inet.tcp.sack.enable=3D0 On Sunday 23 October 2005 02:23, Volker wrote: > Michael, > > I not that sure if I'm right in checking what you suggested but when > trying to do ping hostB from hostA with oversized packets through the > IPSec tunnel by: > > # ping -c 10 -s 12000 10.128.6.1 > > I'm getting replies easily. > > While doing that and tcpdump'ing the gif interface, I'm seeing the > fragmented packets coming in properly. > > If that's a reliable check for MTU than the problem should not be MTU > related. Is there any other way to check MTU problems by using `ping'? > > Thanks, > > Volker > > On 2005-10-22 20:16, Michael VInce wrote: > > Try sending different sized pings or other packet size control utils to > > really make sure its not MTU related. > > Maybe there is an upstream router thats blocking ICMP fragment packets, > > have you ever seen them? try forcing the creation of some. > > > > Mike > > > > Volker wrote: > >> Still having the same problem with an IPSec tunnel between FreeBSD 5.4R > >> hosts. > >> > >> Problem description: > >> scp session tries to transfer a large file through an IPSec tunnel. The > >> file is being transmitted but scp says 'stalled' after 56K (49152 bytes > >> file size). The IPSec tunnel itself is still up even after the scp > >> abort. Other tcp sessions break, too when sending too much traffic > >> through the tunnel. > >> > >> I've taken a closer look to it and tried to get something useful out of > >> the tcpdump but I'm unable to see any errors or I'm misinterpreting > >> something. > >> > >> The connection looks like: > >> > >> extIP: A.B.C.D > >> extIP: E.F.G.H > >> host A ------------------ (internet) ------------------ host B > >> tunnelIP: 10.128.1.6 tunnelI= P: > >> 10.128.6.1 > >> > >> host A just has an external interface (em1) connected to a leased line > >> with a fixed IP address (IP-addr A.B.C.D). > >> host B has an S-DSL connection at xl0, PPPoE at ng0 (IP-addr. E.F.G.H). > >> > >> Both hosts are using gif for the IPSec tunnel. > >> > >> The routing tables (netstat -rnWf inet) are looking good and IMHO the > >> MTU is fine. > >> > >> host A: > >> em1: flags=3D8843 mtu 1500 > >> options=3Db > >> inet A.B.C.D netmask 0xfffffff8 broadcast A.B.C.z > >> ether 00:c0:9f:46:ec:c7 > >> media: Ethernet autoselect (100baseTX ) > >> status: active > >> gif6: flags=3D8051 mtu 1280 > >> tunnel inet A.B.C.D --> E.F.G.H > >> inet 10.128.1.6 --> 10.128.6.1 netmask 0xffffffff > >> inet6 fe80::2c0:9fff:fe46:ecc6%gif6 prefixlen 64 scopeid 0x4 > >> > >> Routing tables (shortened) > >> Destination Gateway Flags Refs Use Mtu > >> Netif Expire > >> default A.B.C.x UGS 2 516686 1500 em1 > >> 10.128.1.6 127.0.0.1 UH 0 14 > >> 16384 lo0 > >> 10.128.6.1 10.128.1.6 UH 0 6017 > >> 1280 gif6 > >> 127.0.0.1 127.0.0.1 UH 0 31633 > >> 16384 lo0 > >> A.B.C.x/29 link#2 UC 0 0 1500 em1 > >> A.B.C.D 00:c0:9f:46:ec:c7 UHLW 0 112 1500 lo0 > >> > >> On host B the interfaces and routing tables are looking like: > >> xl0: flags=3D8843 mtu 1500 > >> options=3D8 > >> inet 0.0.0.0 netmask 0xff000000 broadcast 0.255.255.255 > >> inet6 fe80::260:8ff:fe6c:e73c%xl0 prefixlen 64 scopeid 0x1 > >> ether 00:60:08:6c:e7:3c > >> media: Ethernet 10baseT/UTP (10baseT/UTP ) > >> status: active > >> gif1: flags=3D8051 mtu 1280 > >> tunnel inet E.F.G.H --> A.B.C.D > >> inet6 fe80::260:8ff:fe6c:e73c%gif1 prefixlen 64 scopeid 0x4 > >> inet 10.128.6.1 --> 10.128.1.6 netmask 0xffffffff > >> ng0: flags=3D88d1 mtu = 1456 > >> inet E.F.G.H --> 217.5.98.186 netmask 0xffffffff > >> > >> Routing tables (shortened) > >> Destination Gateway Flags Refs Use Mtu > >> Netif Expire > >> 0 link#1 UC 0 0 1500 > >> xl0 =3D> > >> default 217.5.98.186 UGS 1 38474 > >> 1456 ng0 > >> 10.128.1.6 10.128.6.1 UH 4 2196 > >> 1280 gif1 > >> 127.0.0.1 127.0.0.1 UH 0 80424 > >> 16384 lo0 > >> 217.5.98.186 E.F.G.H UH 1 0 1456 ng0 > >> E.F.G.H lo0 UHS 0 0 16384 lo0 > >> > >> While trying to fetch a file by scp on host A (receiver) from host B > >> (sender), I captured the following tcpdump on host B: > >> > >> tcpdump -netttvvi gif1: > >>> 000023 AF 2 1280: IP (tos 0x8, ttl 64, id 13202, offset 0, flags > >>> [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 43864:45092(1228) ack 1330 win 33156 >>> 565002838> > >>> 000207 AF 2 1280: IP (tos 0x8, ttl 64, id 52187, offset 0, flags > >>> [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 45092:46320(1228) ack 1330 win 33156 >>> 565002838> > >>> 000220 AF 2 1280: IP (tos 0x8, ttl 64, id 33774, offset 0, flags > >>> [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 46320:47548(1228) ack 1330 win 33156 >>> 565002838> > >>> 003524 AF 2 52: IP (tos 0x8, ttl 64, id 42063, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 38952 win 33156 >>> 481770524> 000024 AF 2 1280: IP (tos 0x8, ttl 64, id 48541, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 47548:48776(1228) ack 1330 win 33156 >>> 565002844> > >>> 011203 AF 2 52: IP (tos 0x8, ttl 64, id 60517, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 41408 win 32542 >>> 481770530> 000058 AF 2 1280: IP (tos 0x8, ttl 64, id 15798, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 48776:50004(1228) ack 1330 win 33156 >>> 565002855> > >>> 000246 AF 2 1280: IP (tos 0x8, ttl 64, id 31721, offset 0, flags > >>> [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 50004:51232(1228) ack 1330 win 33156 >>> 565002855> > >>> 005147 AF 2 52: IP (tos 0x8, ttl 64, id 22347, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 42636 win 33156 >>> 481770542> 000024 AF 2 1280: IP (tos 0x8, ttl 64, id 61057, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 51232:52460(1228) ack 1330 win 33156 >>> 565002861> > >>> 020769 AF 2 52: IP (tos 0x8, ttl 64, id 27692, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 45092 win 32542 >>> 481770547> 000027 AF 2 1280: IP (tos 0x8, ttl 64, id 64167, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 52460:53688(1228) ack 1330 win 33156 >>> 565002881> > >>> 000209 AF 2 1280: IP (tos 0x8, ttl 64, id 45457, offset 0, flags > >>> [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 53688:54916(1228) ack 1330 win 33156 >>> 565002881> > >>> 005260 AF 2 52: IP (tos 0x8, ttl 64, id 53832, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 46320 win 33156 >>> 481770567> 000024 AF 2 1280: IP (tos 0x8, ttl 64, id 3515, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 54916:56144(1228) ack 1330 win 33156 >>> 565002887> > >>> 011020 AF 2 52: IP (tos 0x8, ttl 64, id 11608, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 48776 win 32542 >>> 481770568> 000026 AF 2 1280: IP (tos 0x8, ttl 64, id 5848, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 56144:57372(1228) ack 1330 win 33156 >>> 565002898> > >>> 000211 AF 2 1280: IP (tos 0x8, ttl 64, id 39892, offset 0, flags > >>> [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 57372:58600(1228) ack 1330 win 33156 >>> 565002898> > >>> 005641 AF 2 52: IP (tos 0x8, ttl 64, id 7943, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 50004 win 33156 >>> 481770582> 000024 AF 2 1280: IP (tos 0x8, ttl 64, id 8678, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 58600:59828(1228) ack 1330 win 33156 >>> 565002904> > >>> 011072 AF 2 52: IP (tos 0x8, ttl 64, id 38257, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 52460 win 32542 >>> 481770583> 000025 AF 2 1280: IP (tos 0x8, ttl 64, id 12255, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 59828:61056(1228) ack 1330 win 33156 >>> 565002915> > >>> 000209 AF 2 1280: IP (tos 0x8, ttl 64, id 46257, offset 0, flags > >>> [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 61056:62284(1228) ack 1330 win 33156 >>> 565002915> > >>> 000222 AF 2 1280: IP (tos 0x8, ttl 64, id 4093, offset 0, flags > >>> [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 62284:63512(1228) ack 1330 win 33156 >>> 565002915> > >>> 007065 AF 2 52: IP (tos 0x8, ttl 64, id 18720, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 53688 win 33156 >>> 481770609> 000025 AF 2 1280: IP (tos 0x8, ttl 64, id 38378, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 63512:64740(1228) ack 1330 win 33156 >>> 565002922> > >>> 011034 AF 2 52: IP (tos 0x8, ttl 64, id 18718, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 56144 win 32542 >>> 481770609> 000024 AF 2 1280: IP (tos 0x8, ttl 64, id 8148, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.53160: . > >>> 64740:65968(1228) ack 1330 win 33156 >>> 565002934> > >>> 005991 AF 2 52: IP (tos 0x8, ttl 64, id 62285, offset 0, flags > >>> [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum ok] > >>> 1330:1330(0) ack 57372 win 33156 >>> 481770625> 010726 AF 2 52: IP (tos 0x8, ttl 64, id 1549, offset 0, > >>> flags [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum > >>> ok] 1330:1330(0) ack 59828 win 32542 >>> 481770625> 005670 AF 2 52: IP (tos 0x8, ttl 64, id 61504, offset 0, > >>> flags [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum > >>> ok] 1330:1330(0) ack 61056 win 33156 >>> 481770642> 011260 AF 2 52: IP (tos 0x8, ttl 64, id 32633, offset 0, > >>> flags [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum > >>> ok] 1330:1330(0) ack 63512 win 32542 >>> 481770642> 005510 AF 2 52: IP (tos 0x8, ttl 64, id 54614, offset 0, > >>> flags [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum > >>> ok] 1330:1330(0) ack 64740 win 33156 >>> 481770650> 104909 AF 2 52: IP (tos 0x8, ttl 64, id 50471, offset 0, > >>> flags [none], length: 52) 10.128.1.6.53160 > 10.128.6.1.22: . [tcp sum > >>> ok] 1330:1330(0) ack 65968 win 33156 >>> 481770661> > >> > >> tcpdump -netttvvi ng0 host A.B.C.D: > >>> 000227 AF 2 1352: IP (tos 0x8, ttl 64, id 25895, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x10b) > >>> 011042 AF 2 128: IP (tos 0x8, ttl 61, id 5786, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f0) > >>> 000226 AF 2 1352: IP (tos 0x8, ttl 64, id 36701, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x10c) > >>> 000216 AF 2 1352: IP (tos 0x8, ttl 64, id 8789, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x10d) > >>> 004853 AF 2 128: IP (tos 0x8, ttl 61, id 17128, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f1) > >>> 000227 AF 2 1352: IP (tos 0x8, ttl 64, id 34888, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x10e) > >>> 018747 AF 2 128: IP (tos 0x8, ttl 61, id 14828, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f2) > >>> 000248 AF 2 1352: IP (tos 0x8, ttl 64, id 34356, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x10f) > >>> 000223 AF 2 1352: IP (tos 0x8, ttl 64, id 34151, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x110) > >>> 005030 AF 2 128: IP (tos 0x8, ttl 61, id 45476, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f3) > >>> 000228 AF 2 1352: IP (tos 0x8, ttl 64, id 39765, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x111) > >>> 011247 AF 2 128: IP (tos 0x8, ttl 61, id 63692, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f4) > >>> 000226 AF 2 1352: IP (tos 0x8, ttl 64, id 29240, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x112) > >>> 000222 AF 2 1352: IP (tos 0x8, ttl 64, id 43306, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x113) > >>> 005663 AF 2 128: IP (tos 0x8, ttl 61, id 32980, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f5) > >>> 000228 AF 2 1352: IP (tos 0x8, ttl 64, id 56920, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x114) > >>> 010190 AF 2 128: IP (tos 0x8, ttl 61, id 3206, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f6) > >>> 000227 AF 2 1352: IP (tos 0x8, ttl 64, id 4655, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x115) > >>> 000215 AF 2 1352: IP (tos 0x8, ttl 64, id 62740, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x116) > >>> 000203 AF 2 1352: IP (tos 0x8, ttl 64, id 35642, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x117) > >>> 006875 AF 2 128: IP (tos 0x8, ttl 61, id 37801, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f7) > >>> 000234 AF 2 1352: IP (tos 0x8, ttl 64, id 41803, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x118) > >>> 010651 AF 2 128: IP (tos 0x8, ttl 61, id 54256, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f8) > >>> 000235 AF 2 1352: IP (tos 0x8, ttl 64, id 30732, offset 0, flags > >>> [none], length: 1352) E.F.G.H > A.B.C.D: ESP(spi=3D0x078b2968,seq=3D0= x119) > >>> 007913 AF 2 128: IP (tos 0x8, ttl 61, id 7647, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= f9) > >>> 011166 AF 2 128: IP (tos 0x8, ttl 61, id 58037, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= fa) > >>> 005483 AF 2 128: IP (tos 0x8, ttl 61, id 65275, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= fb) > >>> 011250 AF 2 128: IP (tos 0x8, ttl 61, id 47289, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= fc) > >>> 005505 AF 2 128: IP (tos 0x8, ttl 61, id 203, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= fd) > >>> 104747 AF 2 128: IP (tos 0x8, ttl 61, id 45263, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= fe) > >>> 8. 338674 AF 2 128: IP (tos 0x8, ttl 61, id 36351, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= ff) > >>> 319992 AF 2 128: IP (tos 0x8, ttl 61, id 18085, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= 100) > >>> 441837 AF 2 128: IP (tos 0x8, ttl 61, id 58323, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= 101) > >>> 684077 AF 2 128: IP (tos 0x8, ttl 61, id 35487, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= 102) > >>> 1. 167602 AF 2 128: IP (tos 0x8, ttl 61, id 34442, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= 103) > >>> 2. 136032 AF 2 128: IP (tos 0x8, ttl 61, id 8345, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= 104) > >>> 2. 984665 AF 2 128: IP (tos 0x8, ttl 61, id 35456, offset 0, flags > >>> [none], length: 128) A.B.C.D > E.F.G.H: ESP(spi=3D0x0858046f,seq=3D0x= 105) > >>> > >>> > >>> > >>> > >>> From what I'm seeing host B just stops sending without any reason. At > >> > >> least I don't see any fragmented packets. The only thing I've seen is > >> some packets doesn't get ack'ed by the receiver. > >> > >> These packets never get ack'ed: > >> 46320:47548(1228) > >> 50004:51232(1228) > >> 53688:54916(1228) > >> 57372:58600(1228) > >> 61056:62284(1228) > >> > >> On host A I dumped the following: > >> > >> tcpdump -netttvvi gif6 > >> > >>> 1129985378.941282 AF 2 52: IP (tos 0x8, ttl 64, id 41637, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 45092 win 32542 >>> 490857876> > >>> 1129985378.952628 AF 2 1280: IP (tos 0x8, ttl 64, id 14004, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 45092:46320(1228) ack 1330 win 33156 >>> 574090210> > >>> 1129985378.952657 AF 2 52: IP (tos 0x8, ttl 64, id 23243, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 46320 win 33156 >>> 490857901> > >>> 1129985378.958250 AF 2 1280: IP (tos 0x8, ttl 64, id 4306, offset 0, > >>> flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 46320:47548(1228) ack 1330 win 33156 >>> 574090210> > >>> 1129985378.971118 AF 2 1280: IP (tos 0x8, ttl 64, id 33534, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 47548:48776(1228) ack 1330 win 33156 >>> 574090229> > >>> 1129985378.971137 AF 2 52: IP (tos 0x8, ttl 64, id 60095, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 48776 win 32542 >>> 490857901> > >>> 1129985378.982488 AF 2 1280: IP (tos 0x8, ttl 64, id 11459, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 48776:50004(1228) ack 1330 win 33156 >>> 574090240> > >>> 1129985378.982516 AF 2 52: IP (tos 0x8, ttl 64, id 33184, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 50004 win 33156 >>> 490857931> > >>> 1129985378.987989 AF 2 1280: IP (tos 0x8, ttl 64, id 54180, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 50004:51232(1228) ack 1330 win 33156 >>> 574090240> > >>> 1129985378.994231 AF 2 1280: IP (tos 0x8, ttl 64, id 24535, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 51232:52460(1228) ack 1330 win 33156 >>> 574090251> > >>> 1129985378.994250 AF 2 52: IP (tos 0x8, ttl 64, id 30647, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 52460 win 32542 >>> 490857931> > >>> 1129985379.012101 AF 2 1280: IP (tos 0x8, ttl 64, id 61397, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 52460:53688(1228) ack 1330 win 33156 >>> 574090270> > >>> 1129985379.012132 AF 2 52: IP (tos 0x8, ttl 64, id 60550, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 53688 win 33156 >>> 490857960> > >>> 1129985379.017754 AF 2 1280: IP (tos 0x8, ttl 64, id 28408, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 53688:54916(1228) ack 1330 win 33156 >>> 574090270> > >>> 1129985379.023720 AF 2 1280: IP (tos 0x8, ttl 64, id 27558, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 54916:56144(1228) ack 1330 win 33156 >>> 574090281> > >>> 1129985379.023741 AF 2 52: IP (tos 0x8, ttl 64, id 21502, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 56144 win 32542 >>> 490857961> > >>> 1129985379.035333 AF 2 1280: IP (tos 0x8, ttl 64, id 18885, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 56144:57372(1228) ack 1330 win 33156 >>> 574090293> > >>> 1129985379.035362 AF 2 52: IP (tos 0x8, ttl 64, id 59875, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 57372 win 33156 >>> 490857984> > >>> 1129985379.040830 AF 2 1280: IP (tos 0x8, ttl 64, id 37252, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 57372:58600(1228) ack 1330 win 33156 >>> 574090293> > >>> 1129985379.046576 AF 2 1280: IP (tos 0x8, ttl 64, id 18349, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 58600:59828(1228) ack 1330 win 33156 >>> 574090293> > >>> 1129985379.046595 AF 2 52: IP (tos 0x8, ttl 64, id 43697, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 59828 win 32542 >>> 490857984> > >>> 1129985379.064961 AF 2 1280: IP (tos 0x8, ttl 64, id 38300, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 59828:61056(1228) ack 1330 win 33156 >>> 574090322> > >>> 1129985379.064993 AF 2 52: IP (tos 0x8, ttl 64, id 47539, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 61056 win 33156 >>> 490858013> > >>> 1129985379.070688 AF 2 1280: IP (tos 0x8, ttl 64, id 30345, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 61056:62284(1228) ack 1330 win 33156 >>> 574090322> > >>> 1129985379.076184 AF 2 1280: IP (tos 0x8, ttl 64, id 37536, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 62284:63512(1228) ack 1330 win 33156 >>> 574090322> > >>> 1129985379.076202 AF 2 52: IP (tos 0x8, ttl 64, id 34201, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 63512 win 32542 >>> 490858013> > >>> 1129985379.081680 AF 2 1280: IP (tos 0x8, ttl 64, id 20637, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 63512:64740(1228) ack 1330 win 33156 >>> 574090334> > >>> 1129985379.081709 AF 2 52: IP (tos 0x8, ttl 64, id 59866, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 64740 win 33156 >>> 490858025> > >>> 1129985379.087678 AF 2 1280: IP (tos 0x8, ttl 64, id 35213, offset > >>> 0, flags [none], length: 1280) 10.128.6.1.22 > 10.128.1.6.59762: . > >>> 64740:65968(1228) ack 1330 win 33156 >>> 574090345> > >>> 1129985379.186906 AF 2 52: IP (tos 0x8, ttl 64, id 2465, offset 0, > >>> flags [none], length: 52) 10.128.1.6.59762 > 10.128.6.1.22: . [tcp > >>> sum ok] 1330:1330(0) ack 65968 win 33156 >>> 490858036> > >> > >> tcpdump -netttvvi em1 host E.F.G.H > >> > >>> 1129985379.064825 00:13:c4:fa:6c:20 > 00:c0:9f:46:ec:c7, ethertype > >>> IPv4 (0x0800), length 1366: IP (tos 0x8, ttl 61, id 45003, offset 0, > >>> flags [none], length: 1352) E.F.G.H > A.B.C.D: > >>> ESP(spi=3D0x0e0dffaa,seq=3D0x3e) > >>> 1129985379.065024 00:c0:9f:46:ec:c7 > 00:13:c4:fa:6c:20, ethertype > >>> IPv4 (0x0800), length 142: IP (tos 0x8, ttl 64, id 1195, offset 0, > >>> flags [none], length: 128) A.B.C.D > E.F.G.H: > >>> ESP(spi=3D0x029a41b4,seq=3D0x2f) > >>> 1129985379.070572 00:13:c4:fa:6c:20 > 00:c0:9f:46:ec:c7, ethertype > >>> IPv4 (0x0800), length 1366: IP (tos 0x8, ttl 61, id 36820, offset 0, > >>> flags [none], length: 1352) E.F.G.H > A.B.C.D: > >>> ESP(spi=3D0x0e0dffaa,seq=3D0x3f) > >>> 1129985379.076069 00:13:c4:fa:6c:20 > 00:c0:9f:46:ec:c7, ethertype > >>> IPv4 (0x0800), length 1366: IP (tos 0x8, ttl 61, id 44971, offset 0, > >>> flags [none], length: 1352) E.F.G.H > A.B.C.D: > >>> ESP(spi=3D0x0e0dffaa,seq=3D0x40) > >>> 1129985379.076233 00:c0:9f:46:ec:c7 > 00:13:c4:fa:6c:20, ethertype > >>> IPv4 (0x0800), length 142: IP (tos 0x8, ttl 64, id 56964, offset 0, > >>> flags [none], length: 128) A.B.C.D > E.F.G.H: > >>> ESP(spi=3D0x029a41b4,seq=3D0x30) > >>> 1129985379.081565 00:13:c4:fa:6c:20 > 00:c0:9f:46:ec:c7, ethertype > >>> IPv4 (0x0800), length 1366: IP (tos 0x8, ttl 61, id 24742, offset 0, > >>> flags [none], length: 1352) E.F.G.H > A.B.C.D: > >>> ESP(spi=3D0x0e0dffaa,seq=3D0x41) > >>> 1129985379.081741 00:c0:9f:46:ec:c7 > 00:13:c4:fa:6c:20, ethertype > >>> IPv4 (0x0800), length 142: IP (tos 0x8, ttl 64, id 9390, offset 0, > >>> flags [none], length: 128) A.B.C.D > E.F.G.H: > >>> ESP(spi=3D0x029a41b4,seq=3D0x31) > >>> 1129985379.087562 00:13:c4:fa:6c:20 > 00:c0:9f:46:ec:c7, ethertype > >>> IPv4 (0x0800), length 1366: IP (tos 0x8, ttl 61, id 48065, offset 0, > >>> flags [none], length: 1352) E.F.G.H > A.B.C.D: > >>> ESP(spi=3D0x0e0dffaa,seq=3D0x42) > >>> 1129985379.186945 00:c0:9f:46:ec:c7 > 00:13:c4:fa:6c:20, ethertype > >>> IPv4 (0x0800), length 142: IP (tos 0x8, ttl 64, id 36315, offset 0, > >>> flags [none], length: 128) A.B.C.D > E.F.G.H: > >>> ESP(spi=3D0x029a41b4,seq=3D0x32) > >> > >> If I'm not misleaded, this also doesn't show any errors except the > >> missing ack's. host B just stops sending. If there's an ack missing, > >> doesn't have the sending host to just repeat the un-ack'ed packet? > >> > >> The IPSec tunnel does not die. Even shortly after the (scp) transfer > >> stalls the tunnel itself is still usable (for small amounts of data). = To > >> make it more worse, when disabling pf at the senders side, the transfer > >> works. I've tripple checked pflog for denied packets on both sides but > >> pf didn't filter any packets out. > >> > >> When disabling the IPSec rules using `setkey -F; setkey -FP' on the > >> tunnel for a moment, the scp transfer does not stall. So it's not a gif > >> issue. > >> > >> It doesn't seem to be an MTU issue (pf has also the rule 'scrub in/out > >> all no-df'), but what kind of issue is that?? Has anybody ever > >> experienced similar things? Or am I misinterpreting the tcpdump output? > >> > >> > >> Any help and hint is appreciated! Without an error message I'm lost. > >> > >> Volker > >> > >> _______________________________________________ > >> freebsd-net@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-net > >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart56501954.DhmgN6n76d Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDWs36XyyEoT62BG0RAifeAJ9//7n/W1zjEcppA6JD/benByaBeACfbDqM Weh1EBu5vm/w8h2we+KoKXk= =RJ4s -----END PGP SIGNATURE----- --nextPart56501954.DhmgN6n76d--