Thanks for the quick response. I am not doing any asymmetric routing. We only have one provider link in each location, and for the internal boxes that have vpn only access are looking at pfsense for the default gateway.
I should have mentioned previously I played with the MTU with no positive result.. Also worth mentioning is when I do a reboot on the firewall, I have to go open a rule on each tab and save it, then apply- after I perform this on each interface I have the firewall log stops logging the dropped packets and the routing ALMOST returns to normal between internal networks. There are still some hosts that are not able to be reached. I have not made any changes, but rather did reboots about the same time for one location and the pfsense firewall and it appears that location came up <?> However the 2nd location is still having issues pulling web pages from internal servers over the vpn tunnel. As I stated earlier (this still holds true), I can still port scan from remote to inside pfsense and show the ports open, icmp works and I can pull up the remote locations firewalls via HTTP and HTTPS, however nothing from the remote site to inside pfsense is working.. Is there any debugging I can turn on from pfsense in ssh to gather more info to troubleshoot this more effectively? Thank you, -----Original Message----- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Thursday, August 12, 2010 2:38 PM To: support@pfsense.com Subject: Re: [pfSense Support] FW: Issues after update to 1.2.3-RELEASE On Thu, Aug 12, 2010 at 2:17 PM, Austin G. Smith <asm...@neweffectit.com> wrote: > > > I just performed an update on a 1.2.0-RELEASE-FULL firewall last night. > > > > Today we started having issues with traffic being denied from IPSEC VPN > sites outside of the internal pfsense networks. However, traffic is passing > fine from inside pfsense to the external IPSEC VPN sites. I can port scan > from a remote site to inside pfsense and show open ports, however nothing > can sustain a connection to the remote site. > Couple possibilities, one somehow you have a PMTUD black hole now that wasn't there before, try changing your WAN MTU to 1400 and see if that changes anything. Second possibility, filtering is stricter on TCP flags in 1.2.3 than in 1.2, if you have asymmetric routing you're going to have problems now where you may not have before. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
