Hi,
I have a VPN running which, for this problem, looks roughly like this:
net-West - West ----- East - net-East
|
+------- South - net-South
"West" is the central site, and "East" and "South" are quite similarly
configured branch offices. Esp., regarding the packet filter
configuration on "West", both sites are configured symmetrically.
Traffic between (West, East) and (West, South) is permitted to flow
freely in both directions. "West", "East" and "South" are OpenBSD-based
firewalls. "East" has a default route to "West", but "South" has only
a route to "net-West".
Now the problem:
"Ping" with oversized packets (I see 1548 bytes with tcpdump, and the
user set a packet size of slightly more than 1500 bytes) from
"net-West" to "net-East" work fine, all the time, while the same
command from "net-West" to "net-South" does not work, also most of the
time, with success rates varying between zero and three packets
returning, out of four. At "South", the packets which arrive, are only
1528 bytes long, so I've lost some 20 bytes on the road.
Running tcpdump on the internal LAN interface and on enc0 of "West"
shows, that not all of the packets which enter the LAN interface, and
which are destined for net-South, even enter the enc0 interface.
Conclusion: Packets are lost within the Firewall (but I can't see
anything on pflog0, too).
"West" are two machines, one runs OpenBSD 4.3 amd64, with the
GENERIC.MP kernel, and the other runs OpenBSD 4.4 i386, with the
GENERIC.MP kernel (fully patched).
Any ideas about how to better debug such a problem are very much
appreciated!
Kind regards,
--Toni++
