[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] VPN comes up but not usable for high traffic

  • Subject: [Openvpn-users] VPN comes up but not usable for high traffic
  • From: Matthias Apitz <m.apitz@xxxxxxxxxxxx>
  • Date: Mon, 5 Mar 2007 10:01:54 +0100


We run the following OpenVPN based installation here:

+----------------+     +---------------+      /  -------> OpenVPN-server
| OpenVPN (SLES) |-----| IPF (FreeBSD) |-----|   <------- OpenVPN-client
+----------------+     +---------------+      \  <------- OpenVPN-client

- we run in our network OpenVPN (OpenVPN 2.0 i686-suse-linux) on top
  of SuSE SLES 8.2
- the firewall is based on FreeBSD 6.1 with IPF 4.1.8; there are sufficient
  IPF- and NAT-rules to let pass UDP traffic for OpenVPN;
- the OpenVPN on SLES connects to some master office side as a client
- and some Windows based OpenVPN-clients are connecting to this at
  the same time;

all this runs fine and for a long time already;

some days ago we had to switch the firewall host to a stand-by system
because of a hardware problem in the firewall; the IPF- and NAT-rules
are really the same (because they are stored on a central host CVS-based
and have been pulled out and stored to the stand-by system); the only
difference, and I'm sure about, are the network cards itself and
their MAC addrs;

all came up fine again, including the OpenVPN-connections, but:

- while the connection to the other OpenVPN-server did not show
  any problem, the Windows based OpenVPN-clients had problems;
- they came up fine too and the user could do a ping through the
  tunnel to the inner webserver and could do a 
  telnet webserver 80
  GET /
  but could not do a fetch with a real browser Firefox;

I monitored the traffic with TCPDUMP in the LAN on port 80 and
the UDP port already outside the firewall and the HTTP traffic could
be seen as arriving from the browser and the response sent by the
Apache and leaving as UDP the building
to the client in the VPN tunnel; but somehow was not arriving
at the client side (I think so because the same big UDP packages
caused by the HTTP output of Apache was sent again and again);

some hours later we switched back to the original firewall and the
problem went away;

what could be the reason for this? I need a solution because without
it our stand-by system is useless :-((

thx for your time reading this mail;


Matthias Apitz
Manager Technical Support - OCLC PICA GmbH
Gruenwalder Weg 28g - 82041 Oberhaching - Germany
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <m.apitz@xxxxxxxxxxxx> - w http://www.oclcpica.org/ http://guru.UnixLand.de/
b http://gurucubano.blogspot.com/
OCLC PICA GmbH, Geschaeftsfuehrer: Christine Magin-Weeger, Norbert Weinberger
Sitz der Gesellschaft: Oberhaching, HRB Muenchen: 113261

OpenVPN mailing lists