Connection problems - can I pick your brains?

[spoon]

Very quick question - each time when connecting back to my home LAN my connection times out if trying to hit internal resources i.e. web server for example.

Code: Select all

Reply from 10.10.0.3: bytes=32 time=16ms TTL=64
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64
Reply from 10.10.0.3: bytes=32 time=18ms TTL=64
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64<==== All working fine as you can see
Reply from 10.10.0.3: bytes=32 time=17ms TTL=64<==== In IE I type 10.10.0.3:8080
Request timed out.                               <==== Connection drops and won't reconnect...
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Pretty much the same thing happens when I want to upload something to a SMB share, browsing the shares itself works perfectly but as soon as I drop a file [size doesn't matter as I have tried few kb with the same results]

Did anyone come across something similar?

I can provide the necessary info/config files etc. - just ask.


Thanks.

Adrian

[janjust]

most like an MTU issue; if it is a UDP-based setup, first try adding

Code: Select all

fragment 1400

to both client and server config files (or 1200, if 1400 did not help).

If it TCP based then lower the MTU size on both ends

Code: Select all

tun-mtu 1400

be aware that windows sometimes has issues when the MTU is lowered in this way.

BTW, I'd appreciate it if you left my brain intact

[spoon]

Thanks for your reply.

Lowering the MTU partially corrected the problem i.e. I can get to my webserver but it will drop around 20 packets before the website actually loads.
Further clicking around results in 20 or packets dropped each time so it’s unusable really...

Code: Select all

H:\>ping 10.10.0.1 -t

Pinging 10.10.0.1 with 32 bytes of data:

Request timed out.
Request timed out.
Reply from 10.10.0.1: bytes=32 time=38ms TTL=64
Reply from 10.10.0.1: bytes=32 time=16ms TTL=64
Reply from 10.10.0.1: bytes=32 time=19ms TTL=64
Reply from 10.10.0.1: bytes=32 time=18ms TTL=64
Reply from 10.10.0.1: bytes=32 time=17ms TTL=64
Reply from 10.10.0.1: bytes=32 time=18ms TTL=64
Reply from 10.10.0.1: bytes=32 time=17ms TTL=64 <=== IE loads 10.10.0.3:8080
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Request timed out. <=== Page tries to load up
Reply from 10.10.0.1: bytes=32 time=655ms TTL=64  <=== Page loads properly
Reply from 10.10.0.1: bytes=32 time=1418ms TTL=64
Reply from 10.10.0.1: bytes=32 time=36ms TTL=64
Reply from 10.10.0.1: bytes=32 time=1971ms TTL=64
Reply from 10.10.0.1: bytes=32 time=20ms TTL=64
Reply from 10.10.0.1: bytes=32 time=1138ms TTL=64
Reply from 10.10.0.1: bytes=32 time=18ms TTL=64
Reply from 10.10.0.1: bytes=32 time=652ms TTL=64
Reply from 10.10.0.1: bytes=32 time=18ms TTL=64
Reply from 10.10.0.1: bytes=32 time=16ms TTL=64
Reply from 10.10.0.1: bytes=32 time=17ms TTL=64
Reply from 10.10.0.1: bytes=32 time=16ms TTL=64
Reply from 10.10.0.1: bytes=32 time=19ms TTL=64
Reply from 10.10.0.1: bytes=32 time=19ms TTL=64
Reply from 10.10.0.1: bytes=32 time=17ms TTL=64
Reply from 10.10.0.1: bytes=32 time=17ms TTL=64
Reply from 10.10.0.1: bytes=32 time=17ms TTL=64
Reply from 10.10.0.1: bytes=32 time=18ms TTL=64
Reply from 10.10.0.1: bytes=32 time=21ms TTL=64
Reply from 10.10.0.1: bytes=32 time=17ms TTL=64
Reply from 10.10.0.1: bytes=32 time=18ms TTL=64
Reply from 10.10.0.1: bytes=32 time=17ms TTL=64

Ping statistics for 10.10.0.1:
    Packets: Sent = 49, Received = 29, Lost = 20 (40% loss),
Approximate round trip times in milli-seconds:
    Minimum = 16ms, Maximum = 1971ms, Average = 217ms
Control-C
^C
H:\>

Side note: Your brain should be intact from what I can gather

Side note 2: I lowered the MTU to 1200 over UDP. Would TCP improve the situation at all?

[janjust]

did '--fragment' not help?
I see you are using windows - the problem with lowering the mtu size on windows is that windows does not "honor" whatever openvpn sets. You'd need to adjust the MTU size in the windows adapter settings (tab "Advanced" as well). On Vista/7 you can also do this using

Code: Select all

netsh interface ipv4 set subinterface "name of interface" mtu=1400

[spoon]

Adjusting fragmentation to 1200 is producing the results above, let me try forcing the MTU.

Just for reference, I'm attaching my server config:

Code: Select all

mode server
proto udp
port 1194
fragment 1200
dev tap0
server-bridge 10.10.0.1 255.255.255.0 10.10.0.201 10.10.0.254
keepalive 10 120
daemon
verb 5
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001

[spoon]

Log file from the server:

Code: Select all

Mar 10 16:26:31 XXXXX-ROUTER01 daemon.notice openvpn[6003]: OpenVPN 2.1.1 mips-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug  7 2010
Mar 10 16:27:05 XXXXX-ROUTER01 daemon.notice openvpn[6013]: XX.XXX.X.XX:14486 VERIFY OK: depth=1, /C=UK/ST=LON/L=London/O=OpenVPN_XXXXX/CN=XXXXX-OpenVPN01/emailAddress=XXXXX@hotmail.co.uk
Mar 10 16:27:05 XXXXX-ROUTER01 daemon.notice openvpn[6013]: XX.XXX.X.XX:14486 VERIFY OK: depth=0, /C=UK/ST=LON/O=OpenVPN_XXXXX/CN=XXXXX-OpenVPN01-Client01/emailAddress=XXXXX@hotmail.co.uk
Mar 10 16:27:05 XXXXX-ROUTER01 daemon.notice openvpn[6013]: XX.XXX.X.XX:14486 [XXXXX-OpenVPN01-Client01] Peer Connection Initiated with XX.XXX.X.XX:14486
Mar 10 16:27:08 XXXXX-ROUTER01 daemon.notice openvpn[6013]: XXXXX-OpenVPN01-Client01/XX.XXX.X.XX:14486 PUSH: Received control message: 'PUSH_REQUEST'
Mar 10 16:27:08 XXXXX-ROUTER01 daemon.notice openvpn[6013]: XXXXX-OpenVPN01-Client01/XX.XXX.X.XX:14486 SENT CONTROL [XXXXX-OpenVPN01-Client01]: 'PUSH_REPLY,route-gateway 10.10.0.1,ping 10,ping-restart 120,ifconfig 10.10.0.201 255.255.255.0' (status=1)
Mar 10 16:27:08 XXXXX-ROUTER01 daemon.notice openvpn[6013]: XXXXX-OpenVPN01-Client01/XX.XXX.X.XX:14486 MULTI: Learn: 00:xx:3x:xx:xx:x3 -> XXXXX-OpenVPN01-Client01/XX.XXX.X.XX:14486
Mar 10 16:27:40 XXXXX-ROUTER01 daemon.notice openvpn[6013]: XXXXX-OpenVPN01-Client01/XX.XXX.X.XX:14486 Replay-window backtrack occurred [1]
Mar 10 16:28:39 XXXXX-ROUTER01 daemon.notice openvpn[6013]: XXXXX-OpenVPN01-Client01/XX.XXX.X.XX:14486 Replay-window backtrack occurred [2]

Is "Replay-window backtrack occurred" something to worry about?

MTU of 1200 on the server and forced on the Windows machines seems to helping but not much.

Log file from the client:

Code: Select all

Thu Mar 10 16:27:05 2011 OpenVPN 2.2-beta5 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 30 2010
Thu Mar 10 16:27:05 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Mar 10 16:27:05 2011 UDPv4 link local: [undef]
Thu Mar 10 16:27:05 2011 UDPv4 link remote: XX.X.XX.XX:1194
Thu Mar 10 16:27:06 2011 [server] Peer Connection Initiated with XX.X.XX.XX:1194
Thu Mar 10 16:27:08 2011 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{355CC443-43CB-4F44-BBD6-51DCD0AFCBD9}.tap
Thu Mar 10 16:27:08 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.0.201/255.255.255.0 on interface {355CC443-43CB-4F44-BBD6-51DCD0AFCBD9} [DHCP-serv: 10.10.0.0, lease-time: 31536000]
Thu Mar 10 16:27:08 2011 Successful ARP Flush on interface [131076] {355CC443-43CB-4F44-BBD6-51DCD0AFCBD9}
Thu Mar 10 16:27:13 2011 Initialization Sequence Completed
Thu Mar 10 16:28:00 2011 FRAG TTL expired i=4
Thu Mar 10 16:28:10 2011 FRAG TTL expired i=19
Thu Mar 10 16:29:22 2011 FRAG TTL expired i=10
Thu Mar 10 16:29:22 2011 FRAG TTL expired i=22
Thu Mar 10 16:30:12 2011 FRAG TTL expired i=22
Thu Mar 10 16:30:32 2011 FRAG TTL expired i=14
Thu Mar 10 16:30:53 2011 FRAG TTL expired i=15
Thu Mar 10 16:31:19 2011 FRAG TTL expired i=15
Thu Mar 10 16:31:59 2011 FRAG TTL expired i=8
Thu Mar 10 16:32:25 2011 FRAG TTL expired i=6
Thu Mar 10 16:32:25 2011 FRAG TTL expired i=10
Thu Mar 10 16:32:25 2011 FRAG TTL expired i=13
Thu Mar 10 16:33:42 2011 FRAG TTL expired i=7
Thu Mar 10 16:33:42 2011 FRAG TTL expired i=9
Thu Mar 10 16:33:58 2011 FRAG TTL expired i=10
Thu Mar 10 16:33:58 2011 FRAG TTL expired i=13
Thu Mar 10 16:34:18 2011 FRAG TTL expired i=24
Thu Mar 10 16:34:55 2011 FRAG TTL expired i=0
Thu Mar 10 16:34:55 2011 FRAG TTL expired i=5
Thu Mar 10 16:36:13 2011 FRAG TTL expired i=0
Thu Mar 10 16:36:49 2011 FRAG TTL expired i=13
Thu Mar 10 16:36:49 2011 FRAG TTL expired i=15
Thu Mar 10 16:37:25 2011 FRAG TTL expired i=17
Thu Mar 10 16:37:25 2011 FRAG TTL expired i=20
Thu Mar 10 16:37:25 2011 FRAG TTL expired i=23
Thu Mar 10 16:37:40 2011 FRAG TTL expired i=23

[spoon]

Do you guys have any more ideas?

I can confirm is only happens when I pull stuff from my home network i.e. my webserver, SMB shares etc.

[eric66300]

did '--fragment' not help?
I see you are using windows - the problem with lowering the mtu size on windows is that windows does not "honor" whatever openvpn sets. You'd need to adjust the MTU size in the windows adapter settings (tab "Advanced" as well). On Vista/7 you can also do this using

Code: Select all

netsh interface ipv4 set subinterface "name of interface" mtu=1400

hi

may i know what name of interface is this? can you site an example?

can this interface is 32bit and 64bit? x86_64 or i386?

thank you

[janjust]

the name of the interface can be retrieved using

Code: Select all

netsh interface ipv4 show subinterfaces

Look in the last column for the interface name (usually something like "Local Area Network Connect #N"

this works on all (non-starter) versions of Vista and 7.

[eric66300]

thank you