Re: [pfSense-discussion] Strange 2.0-RC3 behaviour with Lotus Domino
Which kind of OVPN: site to site or road warrior? With PF 1.2.2 or 2.0? -- Odette Nsaka odette.ns...@libero.it Il giorno ven, 26/08/2011 alle 10.29 +0530, A Mohan Rao ha scritto: Could u pls guide me how i configure open vpn.. On 8/26/11, Odette Nsaka odette.ns...@libero.it wrote: It's a lot of time I'm using PF and I really appreciate it. Guys you are doing a very good job. I'm successfully using PF 2.0-RC3, even on Alix (embedded) and installed on PC, with ipsec vpn, OVPN, carp for failover, WiFi, WAN in load balancing on 2 different ADSL lines, etc. Everything is working really fine. But a few days ago I encountered a problem that I cannot understand and resolve: I've been upgrading a couple of PF installed on pc (configured in failover with CARP, 5 nics) from release 1.2.3 to 2.0-RC3. In version 1.2.3 and all the previous updates have everything been working fine. After the upgrade to 2.0-RC3 I had just one problem, but because of this I had to revert to 1.2.3. Here is the problem. After the upgrade to version 2.0-RC3 every protocol has been filtered by PF as expected. But the SMTP traffic from the e-mail provider mta (postfix) to the internal MailReley server had a strange behaviour. On the internal mail relay I saw the connection estabilished from the provider mta, but at the moment of receiving the the mail body the connection hanged up and reset at timeout. Just small e-mails, sent as a test by the provider, have been successfully delivered. Reverting to 1.2.3 everything works fine again. An inspection to the traffic, made through a mirror port on the switch (verified sniffing directly on PF) shows the different behaviours reported below. Here are the data captured with 2.0-RC3, related to an attempt of the MTA to send an e-mail messages to the internal mail relay. 226970 684.515289 ProviderMtaIp - MyMailRelayIp TCP 57715 smtp [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=68980421 TSER=0 WS=7 226971 684.515768 MyMailRelayIp - ProviderMtaIp TCP smtp 57715 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 226973 684.526527 ProviderMtaIp - MyMailRelayIp TCP 57715 smtp [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=68980427 TSER=0 226977 684.529562 MyMailRelayIp - ProviderMtaIp SMTP S: 220 mail.mycompany.com ESMTP Service (Lotus Domino Release 8.5.1FP2) ready at Wed, 27 Jul 2011 12:52:04 +0200 226978 684.537048 ProviderMtaIp - MyMailRelayIp TCP 57715 smtp [ACK] Seq=1 Ack=110 Win=5888 Len=0 TSV=68980443 TSER=625882 226979 684.537070 ProviderMtaIp - MyMailRelayIp SMTP C: EHLO fedora.provider.org 226980 684.537868 MyMailRelayIp - ProviderMtaIp SMTP S: 250-mail.mycompany.com Hello fedora.provider.org ([ProviderMtaIp]), pleased to meet you | 250-TLS | 250-ETRN | 250-STARTTLS | 250-DSN | 250-SIZE 18432000 | 250 PIPELINING 226992 684.551654 ProviderMtaIp - MyMailRelayIp SMTP C: MAIL FROM:user@domain SIZE=86045 | RCPT TO:user@domain | DATA 226996 684.552697 MyMailRelayIp - ProviderMtaIp SMTP S: 250 user@domain Sender OK | 250 user@domain Recipient OK | 354 Enter message, end with . on a line by itself 227503 686.321903 MyMailRelayIp - ProviderMtaIp SMTP [TCP Retransmission] S: 250 user@domain Sender OK | 250 user@domain Recipient OK | 354 Enter message, end with . on a line by itself 227505 686.329892 ProviderMtaIp - MyMailRelayIp TCP [TCP Previous segment lost] 57715 smtp [ACK] Seq=3001 Ack=404 Win=8064 Len=0 TSV=68982235 TSER=625901 SLE=274 SRE=404 343904 1013.873824 MyMailRelayIp - ProviderMtaIp TCP smtp 57715 [FIN, ACK] Seq=404 Ack=105 Win=64136 Len=0 TSV=629175 TSER=68980454 343909 1013.883338 ProviderMtaIp - MyMailRelayIp TCP 57715 smtp [RST] Seq=105 Win=0 Len=0 As I can see the traffic between the provider's MTA and the mai relay starts and, initially it goes on, but packet ID 226996 get lost, then retransmitted (227503) and acknowledged by ProviderMtaIp but with a grater Seq. number. It looks like the mail data packets have been lost. Then, after about 5 min. the connection reaches the time out, mail relay sends a FIN request and the ProviderMtaIp resets the connection. On PF's logs there's nothing about dropped packets related to the connection. Here's, what happens reverting to 1.2.3 (everything works fine). ... 19377 46.958958 ProviderMtaIp - MyMailRelayIp SMTP C: MAIL FROM:user@domain SIZE=56892 | RCPT TO:user@domain | DATA 19378 46.960259 MyMailRelayIp - ProviderMtaIp SMTP S: 250 user@domain Sender OK | 250 user@domain Recipient OK | 354 Enter message, end
Re: [pfSense-discussion] Strange 2.0-RC3 behaviour with Lotus Domino
Could u pls guide me how i configure open vpn.. On 8/26/11, Odette Nsaka odette.ns...@libero.it wrote: It's a lot of time I'm using PF and I really appreciate it. Guys you are doing a very good job. I'm successfully using PF 2.0-RC3, even on Alix (embedded) and installed on PC, with ipsec vpn, OVPN, carp for failover, WiFi, WAN in load balancing on 2 different ADSL lines, etc. Everything is working really fine. But a few days ago I encountered a problem that I cannot understand and resolve: I've been upgrading a couple of PF installed on pc (configured in failover with CARP, 5 nics) from release 1.2.3 to 2.0-RC3. In version 1.2.3 and all the previous updates have everything been working fine. After the upgrade to 2.0-RC3 I had just one problem, but because of this I had to revert to 1.2.3. Here is the problem. After the upgrade to version 2.0-RC3 every protocol has been filtered by PF as expected. But the SMTP traffic from the e-mail provider mta (postfix) to the internal MailReley server had a strange behaviour. On the internal mail relay I saw the connection estabilished from the provider mta, but at the moment of receiving the the mail body the connection hanged up and reset at timeout. Just small e-mails, sent as a test by the provider, have been successfully delivered. Reverting to 1.2.3 everything works fine again. An inspection to the traffic, made through a mirror port on the switch (verified sniffing directly on PF) shows the different behaviours reported below. Here are the data captured with 2.0-RC3, related to an attempt of the MTA to send an e-mail messages to the internal mail relay. 226970 684.515289 ProviderMtaIp - MyMailRelayIp TCP 57715 smtp [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=68980421 TSER=0 WS=7 226971 684.515768 MyMailRelayIp - ProviderMtaIp TCP smtp 57715 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 226973 684.526527 ProviderMtaIp - MyMailRelayIp TCP 57715 smtp [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=68980427 TSER=0 226977 684.529562 MyMailRelayIp - ProviderMtaIp SMTP S: 220 mail.mycompany.com ESMTP Service (Lotus Domino Release 8.5.1FP2) ready at Wed, 27 Jul 2011 12:52:04 +0200 226978 684.537048 ProviderMtaIp - MyMailRelayIp TCP 57715 smtp [ACK] Seq=1 Ack=110 Win=5888 Len=0 TSV=68980443 TSER=625882 226979 684.537070 ProviderMtaIp - MyMailRelayIp SMTP C: EHLO fedora.provider.org 226980 684.537868 MyMailRelayIp - ProviderMtaIp SMTP S: 250-mail.mycompany.com Hello fedora.provider.org ([ProviderMtaIp]), pleased to meet you | 250-TLS | 250-ETRN | 250-STARTTLS | 250-DSN | 250-SIZE 18432000 | 250 PIPELINING 226992 684.551654 ProviderMtaIp - MyMailRelayIp SMTP C: MAIL FROM:user@domain SIZE=86045 | RCPT TO:user@domain | DATA 226996 684.552697 MyMailRelayIp - ProviderMtaIp SMTP S: 250 user@domain Sender OK | 250 user@domain Recipient OK | 354 Enter message, end with . on a line by itself 227503 686.321903 MyMailRelayIp - ProviderMtaIp SMTP [TCP Retransmission] S: 250 user@domain Sender OK | 250 user@domain Recipient OK | 354 Enter message, end with . on a line by itself 227505 686.329892 ProviderMtaIp - MyMailRelayIp TCP [TCP Previous segment lost] 57715 smtp [ACK] Seq=3001 Ack=404 Win=8064 Len=0 TSV=68982235 TSER=625901 SLE=274 SRE=404 343904 1013.873824 MyMailRelayIp - ProviderMtaIp TCP smtp 57715 [FIN, ACK] Seq=404 Ack=105 Win=64136 Len=0 TSV=629175 TSER=68980454 343909 1013.883338 ProviderMtaIp - MyMailRelayIp TCP 57715 smtp [RST] Seq=105 Win=0 Len=0 As I can see the traffic between the provider's MTA and the mai relay starts and, initially it goes on, but packet ID 226996 get lost, then retransmitted (227503) and acknowledged by ProviderMtaIp but with a grater Seq. number. It looks like the mail data packets have been lost. Then, after about 5 min. the connection reaches the time out, mail relay sends a FIN request and the ProviderMtaIp resets the connection. On PF's logs there's nothing about dropped packets related to the connection. Here's, what happens reverting to 1.2.3 (everything works fine). ... 19377 46.958958 ProviderMtaIp - MyMailRelayIp SMTP C: MAIL FROM:user@domain SIZE=56892 | RCPT TO:user@domain | DATA 19378 46.960259 MyMailRelayIp - ProviderMtaIp SMTP S: 250 user@domain Sender OK | 250 user@domain Recipient OK | 354 Enter message, end with . on a line by itself 19386 46.971715 ProviderMtaIp - MyMailRelayIp SMTP C: DATA fragment, 1248 bytes 19387 46.974048 ProviderMtaIp - MyMailRelayIp SMTP C: DATA fragment, 1248 bytes 19388 46.974082 ProviderMtaIp - MyMailRelayIp
