Specific Packets disappearing between eth0 and tun / tap

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ProphaC
OpenVpn Newbie
Posts: 2
Joined: Fri May 19, 2017 2:46 pm

Specific Packets disappearing between eth0 and tun / tap

Post by ProphaC » Fri May 19, 2017 2:54 pm

So I'm having a real confusing time. I have used OpenVPN 100s of times, this configuration was working perfectly a month ago, however now the moment a TCP session is established the meat of the session ie GET doesn't make it through to the tunnel. This happens with other protocols as well. I have tried different MTUs - tunnel and link, Tap and tun, ALWAYS with the same result. The only plaster I've come up with is, is using squid as a reverse transparent proxy for HTTP traffic - which solves that. I have used 2 different linux flavours with exactly the same result.

This happens in both directions

A dump looks as follows on the eth0 side
16:21:02.646493 IP 10.254.1.20.63074 > 10.2.33.212.80: S 3850474827:3850474827(0) win 64240 <mss 1460,sackOK,timestamp 501018585 0,nop,wscale 1>
16:21:02.649704 IP 10.2.33.212.80 > 10.254.1.20.63074: S 797667447:797667447(0) ack 3850474828 win 16384 <mss 1337,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
16:21:02.650150 IP 10.254.1.20.63074 > 10.2.33.212.80: . ack 1 win 64262 <nop,nop,timestamp 501018585 0>
16:21:02.650260 IP 10.254.1.20.63074 > 10.2.33.212.80: P 1:207(206) ack 1 win 64262 <nop,nop,timestamp 501018585 0>
16:21:03.021778 IP 10.254.1.20.63074 > 10.2.33.212.80: P 1:207(206) ack 1 win 64262 <nop,nop,timestamp 501018623 0>
16:21:03.741765 IP 10.254.1.20.63074 > 10.2.33.212.80: P 1:207(206) ack 1 win 64262 <nop,nop,timestamp 501018695 0>
16:21:05.161728 IP 10.254.1.20.63074 > 10.2.33.212.80: P 1:207(206) ack 1 win 64262 <nop,nop,timestamp 501018837 0>
16:21:07.991656 IP 10.254.1.20.63074 > 10.2.33.212.80: P 1:207(206) ack 1 win 64262 <nop,nop,timestamp 501019120 0>
16:21:13.641867 IP 10.254.1.20.63074 > 10.2.33.212.80: P 1:207(206) ack 1 win 64262 <nop,nop,timestamp 501019685 0>
16:21:24.921320 IP 10.254.1.20.63074 > 10.2.33.212.80: P 1:207(206) ack 1 win 64262 <nop,nop,timestamp 501020813 0>
16:21:47.460850 IP 10.254.1.20.63074 > 10.2.33.212.80: P 1:207(206) ack 1 win 64262 <nop,nop,timestamp 501023067 0>
16:22:09.088029 IP 10.254.1.20.63074 > 10.2.33.212.80: F 207:207(0) ack 1 win 64262 <nop,nop,timestamp 501025229 0>
16:22:09.091103 IP 10.2.33.212.80 > 10.254.1.20.63074: . ack 1 win 65535 <nop,nop,timestamp 5396459 501025229,nop,nop,sack 1 {207:208}>

The pile of identical packets are retries which never make it into the tunnel

ProphaC
OpenVpn Newbie
Posts: 2
Joined: Fri May 19, 2017 2:46 pm

Re: Specific Packets disappearing between eth0 and tun / tap

Post by ProphaC » Tue May 23, 2017 2:28 pm

So just for anyone who has this VERY wierd issue. Setting the mssfix (regardless of UDP or TCP tunnel) to 100 has "patched" the problem. We noticed that packets as small as 311 bytes were being dropped (made to disappear - They didn't show up as dropped) while anything under 100 bytes was passing from the eth0 to the tun/tap with no problem. We could (and can since mssfix is tcp session related )still do a unfragmented ping with a MTU size of 1500, but try and get a packet much over a 100 bytes on a TCP session and you can forget it.

The Hosts of the 1 side of the VPN were OVM (Oracle Virtual Machine Hosts) - This was the only unique thing in the config compared to all the others I've done.

Post Reply