IPSec tcp session stalling

Matthew Grooms mgrooms at shrew.net
Sat Oct 22 15:12:09 PDT 2005 

Mike & Volker,

 >Try sending different sized pings or other packet size control utils to
 >really make sure its not MTU related.
 >Maybe there is an upstream router thats blocking ICMP fragment packets,
 >have you ever seen them? try forcing the creation of some.
 >
 >Mike

     I am experiencing the same issue as Volker and tried sending 
different sized ICMP packets which seems to work fine. I followed up 
with a telnet connection which quickly stalled.

root at hole#  tcpdump -i xl1 src or dst 10.20.10.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xl1, link-type EN10MB (Ethernet), capture size 96 bytes
16:46:01.676879 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 15872, length 508
16:46:01.722918 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 15872, length 508
16:46:02.691200 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 16128, length 508
16:46:02.739848 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 16128, length 508
16:46:07.015667 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 16384, length 1008
16:46:07.067792 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 16384, length 1008
16:46:08.019359 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 16640, length 1008
16:46:08.093539 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 16640, length 1008
16:46:12.119300 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 16896, length 1480
16:46:12.119308 IP 10.22.200.21 > 10.20.10.141: icmp
16:46:12.197403 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 16896, length 1480
16:46:12.197414 IP 10.20.10.141 > 10.22.200.21: icmp
16:46:13.128799 IP 10.22.200.21 > 10.20.10.141: ICMP echo request, id 
512, seq 17152, length 1480
16:46:13.128805 IP 10.22.200.21 > 10.20.10.141: icmp
16:46:13.201023 IP 10.20.10.141 > 10.22.200.21: ICMP echo reply, id 512, 
seq 17152, length 1480
16:46:13.201033 IP 10.20.10.141 > 10.22.200.21: icmp
16:46:26.872047 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: S 
579182992:579182992(0) win 16384 <mss 1460,nop,nop,sackOK>
16:46:26.941687 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: S 
2118087729:2118087729(0) ack 579182993 win 5840 <mss 1460,nop,nop,sackOK>
16:46:26.941800 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: . ack 1 
win 17520
16:46:30.537896 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: S 
2118087729:2118087729(0) ack 579182993 win 5840 <mss 1460,nop,nop,sackOK>
16:46:30.538000 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: . ack 1 
win 17520
16:46:30.577673 IP 10.20.10.141.54127 > 10.22.200.21.auth: S 
2118367383:2118367383(0) win 5840 <mss 1460,sackOK,timestamp 3241333360 
0,nop,wscale 0>
16:46:30.577770 IP 10.22.200.21.auth > 10.20.10.141.54127: R 0:0(0) ack 
2118367384 win 0
16:46:30.620047 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: P 1:13(12) 
ack 1 win 5840
16:46:30.620242 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 1:7(6) 
ack 13 win 17508
16:46:33.620543 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: P 1:13(12) 
ack 1 win 5840
16:46:33.620651 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: . ack 13 
win 17508
16:46:33.964246 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 1:16(15) 
ack 13 win 17508
16:46:40.503254 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 1:16(15) 
ack 13 win 17508
16:46:40.538799 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: . ack 16 
win 5840
16:46:40.538887 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: P 13:22(9) 
ack 16 win 5840
16:46:40.539062 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 
16:28(12) ack 22 win 17499
16:46:46.528977 IP 10.20.10.141.telnet > 10.22.200.21.rna-lm: P 13:22(9) 
ack 16 win 5840
16:46:46.529081 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: . ack 22 
win 17499
16:46:53.628188 IP 10.22.200.21.rna-lm > 10.20.10.141.telnet: P 
16:38(22) ack 22 win 17499
16:47:05.221888 IP 10.22.200.21.vpvc > 10.20.10.141.telnet: P 
1633240875:1633240887(12) ack 1931964537 win 17487
16:47:05.266687 IP 10.20.10.141.telnet > 10.22.200.21.vpvc: P 1:66(65) 
ack 12 win 5840
16:47:05.267008 IP 10.22.200.21.vpvc > 10.20.10.141.telnet: P 12:15(3) 
ack 66 win 17422
16:47:05.300951 IP 10.20.10.141.telnet > 10.22.200.21.vpvc: P 66:112(46) 
ack 15 win 5840
16:47:05.301179 IP 10.22.200.21.vpvc > 10.20.10.141.telnet: P 15:18(3) 
ack 112 win 17376
16:47:05.379114 IP 10.20.10.141.telnet > 10.22.200.21.vpvc: . ack 18 win 
5840

-Matthew

More information about the freebsd-net mailing list