Debugging dropped shell connections over a VPN

Paul Keusemann pkeusem at visi.com
Tue Jul 26 11:54:01 UTC 2011 

Again, sorry for the sluggish response.

On 07/20/11 15:15, Gary Palmer wrote:
> On Tue, Jul 12, 2011 at 02:26:34PM -0500, Paul Keusemann wrote:
>> On 07/07/11 14:39, Chuck Swiger wrote:
>>> On Jul 7, 2011, at 4:45 AM, Paul Keusemann wrote:
>>>> My setup is something like this:
>>>> - My local network is a mix of AIX, HP-UX, Linux, FreeBSD and Solaris
>>>> machines running various OS versions.
>>>> - My gateway / firewall  machine is running FreeBSD-8.1-RELEASE-p1 with
>>>> ipfw, nat and racoon for the firewall and VPN.
>>>>
>>>> The problem is that rlogin, ssh and telnet connections over the VPN get
>>>> dropped after some period of inactivity.
>>> You're probably getting NAT timeouts against the VPN connection if it is
>>> left idle.  racoon ought to have a config setting called natt_keepalive
>>> which sends periodic keepalives-- see whether that's disabled.
>>>
>>> Regards,
>> Thanks for the suggestions Chuck, sorry it's taken so long to respond
>> but I had to reconfigure and rebuild my kernel to enable IPSEC_NAT_T in
>> order to try this out.
>>
>> One thing that I did not explicitly mention before is that I am routing
>> a network over the VPN.
> Hi Paul,
>
> Even if you are not being NAT'd on the VPN there may be a firewall (or
> other active network component like a load balancer) with an
> overflowing state table somewhere at the remote end.  We see this
> frequently where I work with customer networks and the firewall/VPN/network
> admin denies that its a time out issue so there is likely some device in
> the network that has a state table and if the connection is idle for a
> few minutes it gets dropped.

Hmmm,  this seems likely.  Have you had any luck in finding the culprit 
and resolving the problem?


> Regards,
>
> Gary
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>


-- 
Paul Keusemann			                      pkeusem at visi.com
4266 Joppa Court		                      (952) 894-7805
Savage, MN  55378

More information about the freebsd-net mailing list