Below are tcpdumps from the eth1 and then the ipsec0 interfaces. Any help in making some sense would be great. Let me know if other options, test, etc. would be more useful. If it gets too wrapped in e-mail I can make it available on the web.
Thanks. - Todd User on the local end makes a FTP connection remote server These dumps include the user performing an 'ls' on a small directory and then a 'get' for a file. The get hangs and eventually times out. # tcpdump -n -i eth1 net 172.30.85.0 mask 255.255.255.0 tcpdump: listening on eth1 15:13:02.074186 192.168.5.13.4426 > 172.30.85.100.21: P 2956246103:2956246129(26) ack 3802495246 win 63620 (DF) 15:13:02.124191 172.30.85.100.21 > 192.168.5.13.4426: P 1:31(30) ack 26 win 8097 (DF) [tos 0x10] 15:13:02.125986 192.168.5.13.4426 > 172.30.85.100.21: P 26:32(6) ack 31 win 63590 (DF) 15:13:02.173530 172.30.85.100.21 > 192.168.5.13.4426: P 31:86(55) ack 32 win 8091 (DF) [tos 0x10] 15:13:02.174757 172.30.85.100.20 > 192.168.5.13.4455: S 3935752456:3935752456(0) win 8192 <mss 1460> (DF) [tos 0x8] 15:13:02.175289 192.168.5.13.4455 > 172.30.85.100.20: S 3101694541:3101694541(0) ack 3935752457 win 64240 <mss 1460> (DF) 15:13:02.220662 172.30.85.100.20 > 192.168.5.13.4455: . ack 1 win 8760 (DF) [tos 0x8] 15:13:02.226166 172.30.85.100.20 > 192.168.5.13.4455: P 1:198(197) ack 1 win 8760 (DF) [tos 0x8] 15:13:02.227301 172.30.85.100.20 > 192.168.5.13.4455: F 198:198(0) ack 1 win 8760 (DF) [tos 0x8] 15:13:02.227845 192.168.5.13.4455 > 172.30.85.100.20: . ack 199 win 64043 (DF) 15:13:02.228102 192.168.5.13.4455 > 172.30.85.100.20: F 1:1(0) ack 199 win 64043 (DF) 15:13:02.278985 172.30.85.100.20 > 192.168.5.13.4455: . ack 2 win 8760 (DF) [tos 0x8] 15:13:02.363486 192.168.5.13.4426 > 172.30.85.100.21: . ack 86 win 63535 (DF) 15:13:02.411919 172.30.85.100.21 > 192.168.5.13.4426: P 86:110(24) ack 32 win 8091 (DF) [tos 0x10] 15:13:02.564014 192.168.5.13.4426 > 172.30.85.100.21: . ack 110 win 63511 (DF) <<<< Started 15:13:05.649139 192.168.5.13.4426 > 172.30.85.100.21: P 32:58(26) ack 110 win 63511 (DF) 15:13:05.698309 172.30.85.100.21 > 192.168.5.13.4426: P 110:140(30) ack 58 win 8065 (DF) [tos 0x10] 15:13:05.700220 192.168.5.13.4426 > 172.30.85.100.21: P 58:85(27) ack 140 win 63481 (DF) 15:13:05.753633 172.30.85.100.21 > 192.168.5.13.4426: P 140:222(82) ack 85 win 8038 (DF) [tos 0x10] 15:13:05.754897 172.30.85.100.20 > 192.168.5.13.4456: S 3936638977:3936638977(0) win 8192 <mss 1460> (DF) [tos 0x8] 15:13:05.755417 192.168.5.13.4456 > 172.30.85.100.20: S 3102618198:3102618198(0) ack 3936638978 win 64240 <mss 1460> (DF) 15:13:05.775398 192.168.5.13.4426 > 172.30.85.100.21: . ack 222 win 63399 (DF) 15:13:05.802418 172.30.85.100.20 > 192.168.5.13.4456: . ack 1 win 8760 (DF) [tos 0x8] # tcpdump -n -i ipsec0 tcpdump: listening on ipsec0 15:13:42.267262 192.168.5.13.4426 > 172.30.85.100.21: P 2956246198:2956246224(26) ack 3802495539 win 63327 (DF) [tos 0x10] 15:13:42.314472 65.120.71.240 > 69.0.0.90: 65.81.136.33 > 69.16.0.70: (frag 12804:4294967276@1288+) [tos 0x24] (ipip) 15:13:42.317751 192.168.5.13.4426 > 172.30.85.100.21: P 26:32(6) ack 31 win 63297 (DF) [tos 0x10] 15:13:42.363794 65.120.71.240 > 69.0.0.115: 65.81.136.33 > 69.16.0.95: (frag 12804:4294967236@46128) [tos 0x26,ECT] (ipip) 15:13:42.364713 65.120.71.240 > 69.0.0.64: 65.81.136.33 > 69.8.0.44: (frag 12804:4294967264@27904+) [tos 0x40] (ipip) 15:13:42.367335 192.168.5.13.4458 > 172.30.85.100.20: S 3111798723:3111798723(0) ack 3945068591 win 64240 <mss 1460> (DF) [tos 0x8] 15:13:42.411530 65.120.71.240 > 69.0.0.60: 65.81.136.33 > 69.8.0.40: (frag 12804:4294967260@58880+) [tos 0x23,ECT,CE] (ipip) 15:13:42.416740 65.120.71.240 > 69.0.1.1: 65.81.136.33 > 69.8.0.237: (frag 12804:4294967276@64904+) [tos 0x6d] (ipip) 15:13:42.417202 65.120.71.240 > 69.0.0.60: 65.81.136.33 > 69.8.0.40: (frag 12804:4294967292@42040+) [tos 0x5d] (ipip) 15:13:42.420616 192.168.5.13.4458 > 172.30.85.100.20: . ack 199 win 64043 (DF) [tos 0x8] 15:13:42.421869 192.168.5.13.4458 > 172.30.85.100.20: F 1:1(0) ack 199 win 64043 (DF) [tos 0x8] 15:13:42.470904 65.120.71.240 > 69.0.0.60: 65.81.136.33 > 69.8.0.40: (frag 12804:4294967248@20024+) [tos 0x1d] (ipip) 15:13:42.504877 192.168.5.13.4426 > 172.30.85.100.21: . ack 86 win 63242 (DF) [tos 0x10] 15:13:42.550281 65.120.71.240 > 69.0.0.84: 65.81.136.33 > 69.16.0.64: (frag 12804:4294967256@23448+) [tos 0x59] (ipip) 15:13:42.705588 192.168.5.13.4426 > 172.30.85.100.21: . ack 110 win 63218 (DF) [tos 0x10] 15:13:45.116832 192.168.5.13.4426 > 172.30.85.100.21: P 32:58(26) ack 110 win 63218 (DF) [tos 0x10] 15:13:45.215011 65.120.71.240 > 69.0.0.90: 65.81.136.33 > 69.16.0.70: (frag 12804:4294967244@17136+) [tos 0x67,ECT,CE] (ipip) 15:13:45.218377 192.168.5.13.4426 > 172.30.85.100.21: P 58:85(27) ack 140 win 63188 (DF) [tos 0x10] 15:13:45.270053 65.120.71.240 > 69.0.0.142: 65.81.136.33 > 69.16.0.122: (frag 12804:4294967260@58032) [tos 0x3c] (ipip) 15:13:45.270918 65.120.71.240 > 69.0.0.64: 65.81.136.33 > 69.8.0.44: (frag 12804:4294967260@25792) [tos 0x47,ECT,CE] (ipip) 15:13:45.273637 192.168.5.13.4459 > 172.30.85.100.20: S 3112558616:3112558616(0) ack 3945766073 win 64240 <mss 1460> (DF) [tos 0x8] 15:13:45.318952 65.120.71.240 > 69.0.0.60: 65.81.136.33 > 69.8.0.40: (frag 12804:4294967248@53000) [tos 0x2,ECT] (ipip) 15:13:45.415165 192.168.5.13.4426 > 172.30.85.100.21: . ack 222 win 63106 (DF) [tos 0x10] 15:14:45.351067 192.168.5.13.4459 > 172.30.85.100.20: F 1:1(0) ack 1 win 64240 (DF) [tos 0x8] 15:14:45.396465 65.120.71.240 > 69.0.0.60: 65.81.136.33 > 69.8.0.40: (frag 12804:4294967280@3192) [tos 0x54] (ipip) 15:14:54.111273 192.168.5.100.445 > 172.30.85.10.1619: . 2844521150:2844521151(1) ack 3185124147 win 63546 (DF) 15:14:54.157170 65.120.71.240 > 69.0.0.60: 65.81.136.33 > 69.0.0.40: (frag 12804:4294967252@21368+) [tos 0x74] (ipip) ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html