[Openswan Users] 1.0.8, strange problem with pings
Paul Wouters
paul at xelerance.com
Wed May 18 10:48:17 CEST 2005
On Wed, 18 May 2005, Dmitry Melekhov wrote:
> Very strange problem is that main host sometimes do not pass icmps from
> ipsecX to ethX.
>
> Schema is following
>
> 192.168.22.220 ---main LAN <----eth0(192.168.22.203)
> ipsec2(eth2)(172.16.4.2) -------> <---eth0(ipsec0)(172.16.4.20)--eth1
> (192.168.111.1)-->LAN
>
> Here is what I get:
>
> on 192.168.22.220:
>
> vader:~ # ping 192.168.111.1
> PING 192.168.111.1 (192.168.111.1) from 192.168.22.220 : 56(84) bytes of
> data.
>
> --- 192.168.111.1 ping statistics ---
> 5 packets transmitted, 0 received, 100% loss, time 4043ms
Is your link perhaps congested?
Is there a icmp rate limit in the firewall?
> But other (not icmp) traffic works OK:
>
> from 192.168.22.220:vader:~ # ssh 192.168.111.1
But ssh will do its own retransmits, so you wouldn't see it like this if
some packets are dropped. You'd have to run tcpdump to see if you are
retransmitting lost packets.
> btw, sometimes this problem can be solved by restarting ipsec, but only for
> some time...
I would think this is more likely a link problem then a software problem at
this point.
Paul
More information about the Users
mailing list