Problem pinging some hosts on LAN side.

[sergio]

Hi there, i've got a OpenVPN production server on roadwarrior role and we've detected some weird things when pinging nodes on LAN. We can succesful ping almost every node, but seven host don't respond ping or connections from clients connected throught vpn.

This is a tcpdump on vpn server with a sucessful ping:

Code: Select all

11:22:46.577338 IP 192.168.201.8 > 192.168.101.211: ICMP echo request, id 1, seq 308, length 40
11:22:46.577469 IP 192.168.101.211 > 192.168.201.8: ICMP echo reply, id 1, seq 308, length 40
11:22:46.577525 IP 192.168.101.211 > 192.168.201.8: ICMP echo reply, id 1, seq 308, length 40

One request and two replies, second reply i supposed is routed throutgh tunnel.

Another tcpdump capture with a succesful ping too:

Code: Select all

11:23:00.460469 IP 192.168.201.8 > 192.168.101.212: ICMP echo request, id 1, seq 309, length 40
11:23:00.460629 IP 192.168.101.212 > 192.168.201.8: ICMP echo reply, id 1, seq 309, length 40

I don't know why there isn't a second icmp reply on this one ¿?

And this is a capture when pinging one of those hosts, that don't answer to the client.

Code: Select all

11:23:12.056182 IP 192.168.201.8 > 192.168.101.213: ICMP echo request, id 1, seq 310, length 40
11:23:12.056502 IP 192.168.101.213 > 192.168.201.8: ICMP echo reply, id 1, seq 310, length 40

Those three nodes are on the same network 192.168.101.0/24

Config stuff:
VPN Server

Code: Select all

port 1194
proto tcp-server
dev tun0
ca keys/ca.crt
cert keys/vpn_server.crt
key keys/vpn_server.key
dh keys/dh2048.pem
server 192.168.201.0 255.255.255.0
crl-verify keys/crl.pem
ifconfig-pool-persist servers/tcp_server/logs/ipp.txt
cipher AES-256-CBC
user nobody
group adm
status servers/tcp_server/logs/openvpn-status.log
log-append servers/tcp_server/logs/openvpn.log
verb 5
mute 20
max-clients 100
keepalive 10 120
client-config-dir /etc/openvpn/servers/tcp_server/ccd
tls-server
client-to-client
comp-lzo
persist-key
persist-tun
ccd-exclusive
script-security 2
topology subnet

push "route 192.168.101.0 255.255.255.0"
push "dhcp-option DNS 192.168.101.4"
push "dhcp-option DNS 192.168.101.5"
push "dhcp-option DOMAIN xxxxxxxx.local."

client-connect "/usr/bin/sudo  -u root /etc/openvpn/scripts/client-connect.script >> /tmp/connect.log"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/scripts/client-disconnect.script"

Client config:

Code: Select all

client
proto tcp-client
dev tun
ca ca.crt
dh dh2048.pem
cert sergio_xxxxxx.crt
key sergio_xxxxxx.key
remote xx.xx.xxx.xx 1194
cipher AES-256-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind

Iptables is down:

Code: Select all

Chain INPUT (policy ACCEPT 460K packets, 53M bytes)
 pkts bytes target     prot opt in     out     source               destination       

Chain FORWARD (policy ACCEPT 346K packets, 207M bytes)
 pkts bytes target     prot opt in     out     source               destination       

Chain OUTPUT (policy ACCEPT 277K packets, 132M bytes)
 pkts bytes target     prot opt in     out     source               destination      

Routing table:

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.101.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.201.0   0.0.0.0         255.255.255.0   U         0 0          0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         192.168.101.192 0.0.0.0         UG        0 0          0 eth0

Server specs:

Code: Select all

[root@vpn ~]# lsb_release -a
LSB Version:    :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description:    CentOS release 5.5 (Final)
Release:        5.5
Codename:       Final
[root@vpn ~]# uname -a
Linux vpn.xxxxxxxx.xx 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 i386 GNU/Linux

Client is Windows 7 with OpenVPN GUI v1.0.3

Any help will be really apreciated
Thank you

[maikcat]

hi there,

with a quick look i would tell you the following

1)the clients that dont work,have they got any firewall enabled on them?
2)is the routing configured right on them?
3)what os they have?

cheers,

michael.

[sergio]

Hi maikcat, thanks for your answer.

Clients are a mix of printers, a webserver running w2k3 and disks cabinet. There is no firewall, actually the icmp reply packet from those clients reaches the vpn server (as you can see on tcpdump) but it doesn't get routed throught tunnel.

One curiosity all IP's that don't answer ping are over 192.168.101.200, which made me though about incorrect netmask, but they are ok.

Thanks

[maikcat]

hi there,

your scenario looks ok...
normally should had worked..

for the sake of completeness what /etc/openvpn/scripts/client-connect.script -disconnect
does anyway?

cheers,

michael.