Problem pinging some hosts on LAN side.
Posted: Tue Feb 08, 2011 10:43 am
Hi there, i've got a OpenVPN production server on roadwarrior role and we've detected some weird things when pinging nodes on LAN. We can succesful ping almost every node, but seven host don't respond ping or connections from clients connected throught vpn.
This is a tcpdump on vpn server with a sucessful ping:
One request and two replies, second reply i supposed is routed throutgh tunnel.
Another tcpdump capture with a succesful ping too:
I don't know why there isn't a second icmp reply on this one ¿?
And this is a capture when pinging one of those hosts, that don't answer to the client.
Those three nodes are on the same network 192.168.101.0/24
Config stuff:
VPN Server
Client config:
Iptables is down:
Routing table:
Server specs:
Client is Windows 7 with OpenVPN GUI v1.0.3
Any help will be really apreciated
Thank you
This is a tcpdump on vpn server with a sucessful ping:
Code: Select all
11:22:46.577338 IP 192.168.201.8 > 192.168.101.211: ICMP echo request, id 1, seq 308, length 40
11:22:46.577469 IP 192.168.101.211 > 192.168.201.8: ICMP echo reply, id 1, seq 308, length 40
11:22:46.577525 IP 192.168.101.211 > 192.168.201.8: ICMP echo reply, id 1, seq 308, length 40Another tcpdump capture with a succesful ping too:
Code: Select all
11:23:00.460469 IP 192.168.201.8 > 192.168.101.212: ICMP echo request, id 1, seq 309, length 40
11:23:00.460629 IP 192.168.101.212 > 192.168.201.8: ICMP echo reply, id 1, seq 309, length 40And this is a capture when pinging one of those hosts, that don't answer to the client.
Code: Select all
11:23:12.056182 IP 192.168.201.8 > 192.168.101.213: ICMP echo request, id 1, seq 310, length 40
11:23:12.056502 IP 192.168.101.213 > 192.168.201.8: ICMP echo reply, id 1, seq 310, length 40Config stuff:
VPN Server
Code: Select all
port 1194
proto tcp-server
dev tun0
ca keys/ca.crt
cert keys/vpn_server.crt
key keys/vpn_server.key
dh keys/dh2048.pem
server 192.168.201.0 255.255.255.0
crl-verify keys/crl.pem
ifconfig-pool-persist servers/tcp_server/logs/ipp.txt
cipher AES-256-CBC
user nobody
group adm
status servers/tcp_server/logs/openvpn-status.log
log-append servers/tcp_server/logs/openvpn.log
verb 5
mute 20
max-clients 100
keepalive 10 120
client-config-dir /etc/openvpn/servers/tcp_server/ccd
tls-server
client-to-client
comp-lzo
persist-key
persist-tun
ccd-exclusive
script-security 2
topology subnet
push "route 192.168.101.0 255.255.255.0"
push "dhcp-option DNS 192.168.101.4"
push "dhcp-option DNS 192.168.101.5"
push "dhcp-option DOMAIN xxxxxxxx.local."
client-connect "/usr/bin/sudo -u root /etc/openvpn/scripts/client-connect.script >> /tmp/connect.log"
client-disconnect "/usr/bin/sudo -u root /etc/openvpn/scripts/client-disconnect.script"Code: Select all
client
proto tcp-client
dev tun
ca ca.crt
dh dh2048.pem
cert sergio_xxxxxx.crt
key sergio_xxxxxx.key
remote xx.xx.xxx.xx 1194
cipher AES-256-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobindCode: Select all
Chain INPUT (policy ACCEPT 460K packets, 53M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 346K packets, 207M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 277K packets, 132M bytes)
pkts bytes target prot opt in out source destination Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.201.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.101.192 0.0.0.0 UG 0 0 0 eth0Code: Select all
[root@vpn ~]# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.5 (Final)
Release: 5.5
Codename: Final
[root@vpn ~]# uname -a
Linux vpn.xxxxxxxx.xx 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 i386 GNU/LinuxAny help will be really apreciated
Thank you