On Thu, 2015-08-06 at 12:29 +0100, David Woodhouse wrote: > On Thu, 2015-08-06 at 14:18 +0300, Matti Koskimies wrote: > > > > Pinging doesn't work, but I don't expect it to in our network. > > > Oh? Your network is infested by idiot admins who like to block ICMP? > That's almost certainly relevant. > > > Instead, > > I used netcat for "port pinging" the ssh port: > > > > $ nc -znvw1 172.24.38.144 22 > > Connection to 172.24.38.144 22 port [tcp/*] succeeded! > > $ > > > > Despite this, the ssh command just hangs. > > This is a typical symptom of the above-mentioned 'idiot admin' > problem. If you do a packet capture, do you find that the connection > hangs the moment the SSH server wants to send you a full-sized > packet? Which presumably doesn't fit through the VPN, so the VPN > server sends back an ICMP packet to the server telling it to send a > smaller one... and the VPN server never receives it because of the > aforementioned idiot admins. So the SSH server just keeps sending the > too-large packets. which never get through. > > You normally get away with this when you are connecting directly from > the VPN client host (as opposed to a virtual machine running > thereon). Because the TCP connection setup will indicate an MSS value > which *will* fit in the MTU for the immediately local connection. > > Can you show that packet capture? And try *reducing* your MTU on the > VPN interface (tun0) and see if that works? > > And go and punch one of the idiots for me.
:) I just might do that... The MTU value of the tun0 device created when using openconnect on the command line was 1200. It was 1500 for the vpn0 device created using network-manager-openconnect. So I reduced the mtu value to 1200 and voilĂ , everything works fine! Can I somehow make this setting permanent? -- Matti K -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
