traffic not going through tunnel

Soeren Malchow soeren.malchow at mcon.net
Tue Dec 22 18:20:53 CET 2009 

Hi Guus,

thank you for your hint, we tried that, it does not work.

On regular basis the VPN works, we discovered something new now and it does not seem to be a problem inside tinc after this discovery,

We have fragmented packets ( UDP )  leaving our external interface, the first fragment reaches the opposite vpn endpoint, the second doesn't. This only happens with very large packets ( the first packet is already 1540 bytes )

	17:37:15.602908 IP (tos 0x0, ttl 48, id 41502, offset 0, flags [+], proto UDP (17), length 1500) XXX.XXX.XXX.XXX.1194 > XXX.XXX.XXX.XXX.1194: UDP, length 1540 
	17:37:15.602930 IP (tos 0x0, ttl 48, id 41502, offset 1480, flags [none], proto UDP (17), length 88) XXX.XXX.XXX.XXX > XXX.XXX.XXX.XXX: udp
 
An we experience this only in one direction as we can see

We are not sure why this is, but this is the behaviour so far.

Regards
Soeren


On Dec 22, 2009, at 5:16 PM, Guus Sliepen wrote:

> On Tue, Dec 22, 2009 at 05:07:10PM +0100, Soeren Malchow wrote:
> 
>> we have a very strange problem, 
>> 
>> - we have 3 VPN endpoints
>> - all are in one NETWORK
>> - all daemons come up and connect without any problem and normally we have no problem working through the VPN
>> 
>> but in some cases the connection does not work because the traffic leaves the TAP interface on one VPN endpoint but never arrives on the other end, the similarities between the packages seem to be
>> 
>> - the packages are 1500 bytes long ( lower MTU does not solve the problem )
>> - the packages have no checksum
>> 	16:26:25.982932 IP (tos 0x0, ttl 127, id 19831, offset 0, flags [DF], proto TCP (6), length 1500) XXX.XXX.XXX.XXX.443 > XXX.XXX.XXX.XXX.51285: . 512:1960(1448) ack 1200 win 64163 <nop,nop,timestamp 249076008 754904913>
>> 
>> does anyone even have a suggestion where to look, we have no further ideas how to solve that
> 
> Do you use Mode = switch? If so, try adding PMTUDiscovery = yes to the host config files.
> 
> -- 
> Met vriendelijke groet / with kind regards,
>     Guus Sliepen <guus at tinc-vpn.org>
> <signature.asc>_______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

More information about the tinc mailing list