[Openswan Users] 1.0.8, strange problem with pings
Dmitry Melekhov
dm at belkam.com
Wed May 18 13:51:09 CEST 2005
Paul Wouters wrote:
> On Wed, 18 May 2005, Dmitry Melekhov wrote:
>
>> Very strange problem is that main host sometimes do not pass icmps
>> from ipsecX to ethX.
>>
>> Schema is following
>>
>> 192.168.22.220 ---main LAN <----eth0(192.168.22.203)
>> ipsec2(eth2)(172.16.4.2) -------> <---eth0(ipsec0)(172.16.4.20)--eth1
>> (192.168.111.1)-->LAN
>>
>> Here is what I get:
>>
>> on 192.168.22.220:
>>
>> vader:~ # ping 192.168.111.1
>> PING 192.168.111.1 (192.168.111.1) from 192.168.22.220 : 56(84) bytes
>> of data.
>>
>> --- 192.168.111.1 ping statistics ---
>> 5 packets transmitted, 0 received, 100% loss, time 4043ms
>
>
> Is your link perhaps congested?
> Is there a icmp rate limit in the firewall?
No.
>
>> But other (not icmp) traffic works OK:
>>
>> from 192.168.22.220:vader:~ # ssh 192.168.111.1
>
>
> But ssh will do its own retransmits, so you wouldn't see it like this if
> some packets are dropped. You'd have to run tcpdump to see if you are
> retransmitting lost packets.
There are no retransmissions.
Again, if I ping from one host all is ok, if I ping from another packets
are in ipsecX, but not in ethX...
100% reproducable until ipsec restart, after restart another host can't
ping...
>
>> btw, sometimes this problem can be solved by restarting ipsec, but
>> only for some time...
>
>
> I would think this is more likely a link problem then a software
> problem at
> this point.
Unfortunately this is software problem, I'm shure..
More information about the Users
mailing list