Bad ping sequence when connected through vpn

Use this forum to share your network setup and what's been working for you.
Post Reply
franzli
OpenVpn Newbie
Posts: 1
Joined: Thu Dec 18, 2014 5:36 pm

Bad ping sequence when connected through vpn

Post by franzli » Thu Dec 18, 2014 5:57 pm

Hi,
I am suffering a little (very big...) problem. I have a router running tomato shibby in Location1, other two routers also running tomato shibby in Location 2 and Location 3.

Location 1 is configured to use TAP use encryption and disable the compression.
Location 2 connects to Location 1 and pings fine.
Location 3 connects to Location 1 and pings are all messed up.
When I ping directly (no vpn) Location 1 from Location 2 everything is perfect.

Please help me as I don't know anymore what to do.
Thanks,
Franc


You can see the ping results here from Location 3 to Location 1:
64 bytes from 192.168.1.1: icmp_seq=779 ttl=64 time=45329.442 ms
64 bytes from 192.168.1.1: icmp_seq=781 ttl=64 time=43743.148 ms
64 bytes from 192.168.1.1: icmp_seq=819 ttl=64 time=6445.183 ms
64 bytes from 192.168.1.1: icmp_seq=820 ttl=64 time=5851.499 ms
64 bytes from 192.168.1.1: icmp_seq=784 ttl=64 time=46122.360 ms
64 bytes from 192.168.1.1: icmp_seq=825 ttl=64 time=5135.133 ms
64 bytes from 192.168.1.1: icmp_seq=821 ttl=64 time=11862.873 ms
64 bytes from 192.168.1.1: icmp_seq=822 ttl=64 time=11122.574 ms
64 bytes from 192.168.1.1: icmp_seq=794 ttl=64 time=40843.639 ms
64 bytes from 192.168.1.1: icmp_seq=743 ttl=64 time=92494.627 ms
64 bytes from 192.168.1.1: icmp_seq=823 ttl=64 time=15339.680 ms
64 bytes from 192.168.1.1: icmp_seq=835 ttl=64 time=5012.233 ms
64 bytes from 192.168.1.1: icmp_seq=836 ttl=64 time=4556.367 ms
64 bytes from 192.168.1.1: icmp_seq=795 ttl=64 time=47011.706 ms
64 bytes from 192.168.1.1: icmp_seq=796 ttl=64 time=46511.135 ms
64 bytes from 192.168.1.1: icmp_seq=837 ttl=64 time=9696.090 ms
64 bytes from 192.168.1.1: icmp_seq=824 ttl=64 time=24474.142 ms
Request timeout for icmp_seq 849
64 bytes from 192.168.1.1: icmp_seq=840 ttl=64 time=10581.096 ms
Request timeout for icmp_seq 851
64 bytes from 192.168.1.1: icmp_seq=826 ttl=64 time=26163.760 ms
64 bytes from 192.168.1.1: icmp_seq=827 ttl=64 time=25748.635 ms
Request timeout for icmp_seq 854

This is the ping from Location 2 to Location 1:
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=19.767 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=19.077 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=19.908 ms
64 bytes from 192.168.1.1: seq=3 ttl=64 time=20.753 ms
64 bytes from 192.168.1.1: seq=4 ttl=64 time=19.012 ms
64 bytes from 192.168.1.1: seq=5 ttl=64 time=20.376 ms

--- 192.168.1.1 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 19.012/19.815/20.753 ms

And here the ping to the router Location 3 to Location 1:
PING franzli.xxxx.xx (77.xx.xx.213): 56 data bytes
64 bytes from 77.xx.xx.213: icmp_seq=0 ttl=58 time=17.782 ms
64 bytes from 77.xx.xx.213: icmp_seq=1 ttl=58 time=17.768 ms
64 bytes from 77.xx.xx.213: icmp_seq=2 ttl=58 time=23.515 ms
64 bytes from 77.xx.xx.213: icmp_seq=3 ttl=58 time=17.445 ms
64 bytes from 77.xx.xx.213: icmp_seq=4 ttl=58 time=19.642 ms
64 bytes from 77.xx.xx.213: icmp_seq=5 ttl=58 time=21.339 ms
64 bytes from 77.xx.xx.213: icmp_seq=6 ttl=58 time=20.922 ms
64 bytes from 77.xx.xx.213: icmp_seq=7 ttl=58 time=21.326 ms
^C
--- franzli.xxxx.xx ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 17.445/19.967/23.515/2.040 ms


This is what happens on Location 1:
Dec 18 18:28:28 franc-ac68u daemon.err openvpn[7824]: hergiswil/77.xx.xx.37:14180 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #228 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings


This is happening during the connection on Location 1:
Dec 18 18:47:11 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 TLS: Initial packet from [AF_INET]77.xx.xx.37:28068, sid=57300c38 be3005f0
Dec 18 18:47:17 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 VERIFY OK: xxxxxx
Dec 18 18:47:17 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 VERIFY OK: xxxxxx
Dec 18 18:47:18 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Dec 18 18:47:18 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 18 18:47:18 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Dec 18 18:47:18 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 18 18:47:18 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec 18 18:47:18 franc-ac68u daemon.notice openvpn[7824]: 77.xx.xx.37:28068 [hergiswil] Peer Connection Initiated with [AF_INET]77.58.xx.xx:28068
Dec 18 18:47:18 franc-ac68u daemon.notice openvpn[7824]: MULTI: new connection by client 'hergiswil' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Dec 18 18:47:18 franc-ac68u daemon.notice openvpn[7824]: MULTI_sva: pool returned IPv4=192.168.1.151, IPv6=(Not enabled)
Dec 18 18:47:19 franc-ac68u daemon.notice openvpn[7824]: hergiswil/77.xx.xx.37:28068 PUSH: Received control message: 'PUSH_REQUEST'
Dec 18 18:47:19 franc-ac68u daemon.notice openvpn[7824]: hergiswil/77.xx.xx.37:28068 send_push_reply(): safe_cap=940
Dec 18 18:47:19 franc-ac68u daemon.notice openvpn[7824]: hergiswil/77.xx.xx.37:28068 SENT CONTROL [hergiswil]: 'PUSH_REPLY,route-gateway 192.168.1.1,ping 15,ping-restart 60,ifconfig 192.168.1.151 255.255.255.0' (status=1)
Dec 18 18:47:19 franc-ac68u daemon.notice openvpn[7824]: hergiswil/77.xx.xx.37:28068 MULTI: Learn: bc:8c:cd:8a:65:85 -> hergiswil/77.xx.xx.37:28068
Dec 18 18:47:22 franc-ac68u daemon.notice openvpn[7824]: hergiswil/77.xx.xx.37:28068 MULTI: Learn: e0:3f:49:07:47:18 -> hergiswil/77.xx.xx.37:28068
Dec 18 18:47:27 franc-ac68u daemon.notice openvpn[7824]: hergiswil/77.xx.xx.37:28068 MULTI: Learn: 90:27:e4:f2:c7:1d -> hergiswil/77.xx.xx.37:28068


This is the log when starting up at Location 3:
Dec 18 18:47:09 hergiswil-ac66 daemon.notice openvpn[21733]: OpenVPN 2.3.4 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 15 2014
Dec 18 18:47:09 hergiswil-ac66 daemon.notice openvpn[21733]: library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.06
Dec 18 18:47:09 hergiswil-ac66 daemon.warn openvpn[21733]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for m
ore info.
Dec 18 18:47:09 hergiswil-ac66 daemon.notice openvpn[21733]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Dec 18 18:47:09 hergiswil-ac66 daemon.notice openvpn[21740]: UDPv4 link local: [undef]
Dec 18 18:47:09 hergiswil-ac66 daemon.notice openvpn[21740]: UDPv4 link remote: [AF_INET]77.xx.xx.213:1120
Dec 18 18:47:11 hergiswil-ac66 daemon.notice openvpn[21740]: TLS: Initial packet from [AF_INET]77.xx.xx.213:1120, sid=8ff0c596 fcb2a8cf
Dec 18 18:47:13 hergiswil-ac66 daemon.err openvpn[21740]: event_wait : Interrupted system call (code=4)
Dec 18 18:47:13 hergiswil-ac66 daemon.notice openvpn[21740]: OpenVPN STATISTICS
Dec 18 18:47:13 hergiswil-ac66 daemon.notice openvpn[21740]: Updated,Thu Dec 18 18:47:13 2014
Dec 18 18:47:13 hergiswil-ac66 daemon.notice openvpn[21740]: TUN/TAP read bytes,0
Dec 18 18:47:13 hergiswil-ac66 daemon.notice openvpn[21740]: TUN/TAP write bytes,0
Dec 18 18:47:13 hergiswil-ac66 daemon.notice openvpn[21740]: TCP/UDP read bytes,62
Dec 18 18:47:13 hergiswil-ac66 daemon.notice openvpn[21740]: TCP/UDP write bytes,383
Dec 18 18:47:13 hergiswil-ac66 daemon.notice openvpn[21740]: Auth read bytes,0
Dec 18 18:47:13 hergiswil-ac66 daemon.notice openvpn[21740]: END
Dec 18 18:47:15 hergiswil-ac66 daemon.notice openvpn[21740]: VERIFY OK: xxxxx
name=Francesco Rossi, emailAddress=icilio.rossi@gmail.com
Dec 18 18:47:15 hergiswil-ac66 daemon.notice openvpn[21740]: VERIFY OK: xxxxx
Dec 18 18:47:18 hergiswil-ac66 daemon.notice openvpn[21740]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Dec 18 18:47:18 hergiswil-ac66 daemon.notice openvpn[21740]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 18 18:47:18 hergiswil-ac66 daemon.notice openvpn[21740]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Dec 18 18:47:18 hergiswil-ac66 daemon.notice openvpn[21740]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 18 18:47:18 hergiswil-ac66 daemon.notice openvpn[21740]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec 18 18:47:18 hergiswil-ac66 daemon.notice openvpn[21740]: [lugano01] Peer Connection Initiated with [AF_INET]77.xx.xx.213:1120
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: SENT CONTROL [lugano01]: 'PUSH_REQUEST' (status=1)
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.1.1,ping 15,ping-restart 60,ifconfig 192.168.1
.151 255.255.255.0'
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: OPTIONS IMPORT: --ifconfig/up options modified
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: OPTIONS IMPORT: route-related options modified
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: TUN/TAP device tap11 opened
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: TUN/TAP TX queue length set to 100
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: /sbin/ifconfig tap11 192.168.1.151 netmask 255.255.255.0 mtu 1500 broadcast 192.168.1.255
Dec 18 18:47:20 hergiswil-ac66 daemon.notice openvpn[21740]: Initialization Sequence Completed

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Bad ping sequence when connected through vpn

Post by maikcat » Fri Dec 19, 2014 7:15 am

configs?

Michael.

MikeRobinson
OpenVPN User
Posts: 16
Joined: Fri Aug 03, 2018 1:46 am

Re: Bad ping sequence when connected through vpn

Post by MikeRobinson » Fri Aug 03, 2018 3:28 pm

I know that this is an old thread, but it still bears repeating: "traceroute is your bestest friend." This tool explores a pathway hop-by-hop. And what you very often find at some point is "a row of asterisks," which tells you that a return route from that remote system does not exist: that the traffic knows how to get there, but the echo doesn't know how to return.

ping can't tell you "why ping doesn't work," but traceroute usually can.

Routing is "a hobbit's journey" – There and Back Again – and it always must include, not only the IP-addresses of the various remote subnets, but also the 10.80.0.x virtual subnet used by OpenVPN itself. Every system along the entire route must somehow know what to do, round-trip, with every packet that it sees.

Post Reply