Debugging dropped shell connections over a VPN
Gary Palmer
gpalmer at freebsd.org
Wed Jul 20 20:15:06 UTC 2011
On Tue, Jul 12, 2011 at 02:26:34PM -0500, Paul Keusemann wrote:
> On 07/07/11 14:39, Chuck Swiger wrote:
> >On Jul 7, 2011, at 4:45 AM, Paul Keusemann wrote:
> >>My setup is something like this:
> >>- My local network is a mix of AIX, HP-UX, Linux, FreeBSD and Solaris
> >>machines running various OS versions.
> >>- My gateway / firewall machine is running FreeBSD-8.1-RELEASE-p1 with
> >>ipfw, nat and racoon for the firewall and VPN.
> >>
> >>The problem is that rlogin, ssh and telnet connections over the VPN get
> >>dropped after some period of inactivity.
> >You're probably getting NAT timeouts against the VPN connection if it is
> >left idle. racoon ought to have a config setting called natt_keepalive
> >which sends periodic keepalives-- see whether that's disabled.
> >
> >Regards,
>
> Thanks for the suggestions Chuck, sorry it's taken so long to respond
> but I had to reconfigure and rebuild my kernel to enable IPSEC_NAT_T in
> order to try this out.
>
> One thing that I did not explicitly mention before is that I am routing
> a network over the VPN.
Hi Paul,
Even if you are not being NAT'd on the VPN there may be a firewall (or
other active network component like a load balancer) with an
overflowing state table somewhere at the remote end. We see this
frequently where I work with customer networks and the firewall/VPN/network
admin denies that its a time out issue so there is likely some device in
the network that has a state table and if the connection is idle for a
few minutes it gets dropped.
Regards,
Gary
More information about the freebsd-net
mailing list