Date: Tue, 26 Jul 2011 06:53:59 -0500 From: Paul Keusemann <pkeusem@visi.com> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Debugging dropped shell connections over a VPN Message-ID: <4E2EAAD7.6040906@visi.com> In-Reply-To: <20110720201502.GA37199@in-addr.com> References: <4E159C5A.5090702@visi.com> <13D65A4C-F874-4970-A070-AA0392416680@mac.com> <4E1C9FEA.2080608@visi.com> <20110720201502.GA37199@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Again, sorry for the sluggish response. On 07/20/11 15:15, Gary Palmer wrote: > On Tue, Jul 12, 2011 at 02:26:34PM -0500, Paul Keusemann wrote: >> On 07/07/11 14:39, Chuck Swiger wrote: >>> On Jul 7, 2011, at 4:45 AM, Paul Keusemann wrote: >>>> My setup is something like this: >>>> - My local network is a mix of AIX, HP-UX, Linux, FreeBSD and Solaris >>>> machines running various OS versions. >>>> - My gateway / firewall machine is running FreeBSD-8.1-RELEASE-p1 with >>>> ipfw, nat and racoon for the firewall and VPN. >>>> >>>> The problem is that rlogin, ssh and telnet connections over the VPN get >>>> dropped after some period of inactivity. >>> You're probably getting NAT timeouts against the VPN connection if it is >>> left idle. racoon ought to have a config setting called natt_keepalive >>> which sends periodic keepalives-- see whether that's disabled. >>> >>> Regards, >> Thanks for the suggestions Chuck, sorry it's taken so long to respond >> but I had to reconfigure and rebuild my kernel to enable IPSEC_NAT_T in >> order to try this out. >> >> One thing that I did not explicitly mention before is that I am routing >> a network over the VPN. > Hi Paul, > > Even if you are not being NAT'd on the VPN there may be a firewall (or > other active network component like a load balancer) with an > overflowing state table somewhere at the remote end. We see this > frequently where I work with customer networks and the firewall/VPN/network > admin denies that its a time out issue so there is likely some device in > the network that has a state table and if the connection is idle for a > few minutes it gets dropped. Hmmm, this seems likely. Have you had any luck in finding the culprit and resolving the problem? > Regards, > > Gary > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Paul Keusemann pkeusem@visi.com 4266 Joppa Court (952) 894-7805 Savage, MN 55378
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E2EAAD7.6040906>