|
|
On 11/1/05, Jez Rogers <jezndi@xxxxxxxxxxx> wrote: > Giancarlo Razzolini wrote: > > > Where 300 is in seconds. This means that any peer has 5 minutes to > > complete the handshake. I believe that this problem can happen to with > > other conectivity problems, as mtu, etc. Try increasing the hand-window > > and see what happens. If it doesn't work, check your connection for any > > mtu problems (try to transfer a big file, and see if there are any > > fragmentation, or lost packets). > > > > Connection seems fine. Using ssh I transfered a 9 meg tar file in just > over a minute. Same file gzipped to 1.9 meg took 5 seconds less. ( DSL > lines at 25KB/S ) I have to point out that ssh is TCP and you don't have problems when you are using TCP. > Upped the hand-window to 300 - no effect other than a time out after 300 > seconds. > > There does seem to be some sort of issue with firewalls going on. > > Client 1 is on the local lan to the server - this client is still > connecting OK. > > Client 2 has a Zyxel router using NAT with a fixed IP. Can't connect. > > Client 3 has same router, no NAT, IP cop firewall fixed IP can't connect. > > Server has IP cop firewall, zyxel router, NAT, fixed IP, Internal red > network. Are you stating that there ia an IPCop firewall, and a Zylex router between the server and Internet? Is NAT done once or twice if this is so? > Client 2 sees UDP packets on the outgoing port coming from the server IP > all over the firewall log. > > All had been working fine today, but this evening I plugged in another > machine behind client2 firewall and initiated a connection to the server > - at that point the rot set in. Having stopped both clients (behind > client 2) and the server, waited 10 minutes are restarted it all, > client1 is still connecting, 2 (only 1 off this time ) and 3 are not. > > Switching off client 3 and restarting server/client 2 seems to have > restored the status quo. It now works again. Either that or having > breifly switched over to TCP somehow forces something to come to it's > senses somewhere. > I know it's a pain because the packets are encrypted (and UDP), but have you tried a packet capture at each end to look for dropped packets? -- Leonard Isham, CISSP Ostendo non ostento. ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |