PfSense Fedora L2TP VPN stop traffic flow on HTTP hit

Issue

I have configured L2TP VPN on PfSense 21.05-RELEASE (amd64) and fedora 33 as client, once VPN is connected I can ping remote host but as soon as I tied to hit HTTP traffic VPN stop flowing traffic.

In TCP dump can see outgoing traffic but no incoming traffic coming back after HTTP request seems something related to packer reassemble

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED

ACCEPT icmp — anywhere anywhere

ACCEPT all — anywhere anywhere

ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ssh

REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

2: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 3

link/ppp 

inet 10.200.200.0 peer 10.200.0.1/32 scope global ppp0

   valid_lft forever preferred_lft forever

14:10:37.880312 IP fedora > b.resolvers.Level3.net: ICMP echo request, id 25, seq 1, length 64

14:10:38.046771 IP b.resolvers.Level3.net > fedora: ICMP echo reply, id 25, seq 1, length 64

14:10:38.880819 IP fedora > b.resolvers.Level3.net: ICMP echo request, id 25, seq 2, length 64

14:10:39.047254 IP b.resolvers.Level3.net > fedora: ICMP echo reply, id 25, seq 2, length 64

14:10:39.880860 IP fedora > b.resolvers.Level3.net: ICMP echo request, id 25, seq 3, length 64

14:10:40.046325 IP b.resolvers.Level3.net > fedora: ICMP echo reply, id 25, seq 3, length 64

14:10:52.048093 IP xcal1.vodafone.co.uk.http > fedora.37900: Flags [.], ack 140, win 123, length 0

14:10:52.050555 IP xcal1.vodafone.co.uk.http > fedora.37900: Flags [.], seq 1:1361, ack 140, win 123, length 1360: HTTP: HTTP/1.1 200 OK

14:10:52.050575 IP fedora.37900 > xcal1.vodafone.co.uk.http: Flags [.], ack 1361, win 502, length 0

14:10:52.050593 IP xcal1.vodafone.co.uk.http > fedora.37900: Flags [.], seq 1361:2721, ack 140, win 123, length 1360: HTTP

14:10:52.050603 IP fedora.37900 > xcal1.vodafone.co.uk.http: Flags [.], ack 2721, win 496, length 0

14:10:52.050605 IP xcal1.vodafone.co.uk.http > fedora.37900: Flags [.], seq 2721:4081, ack 140, win 123, length 1360: HTTP

14:10:52.050608 IP fedora.37900 > xcal1.vodafone.co.uk.http: Flags [.], ack 4081, win 489, length 0

14:10:52.051180 IP xcal1.vodafone.co.uk.http > fedora.37900: Flags [.], seq 4081:5441, ack 140, win 123, length 1360: HTTP

14:10:52.051193 IP fedora.37900 > xcal1.vodafone.co.uk.http: Flags [.], ack 5441, win 481, length 0

14:13:06.781830 IP fedora.38648 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 684941377, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:32.424321 IP fedora.38650 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3466381594, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:32.674485 IP fedora.38652 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3214804727, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:33.469787 IP fedora.38650 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3466381594, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:33.725967 IP fedora.38652 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3214804727, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:35.517903 IP fedora.38650 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3466381594, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:35.773924 IP fedora.38652 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3214804727, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:39.549856 IP fedora.38650 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3466381594, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:39.805863 IP fedora.38652 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3214804727, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:47.741806 IP fedora.38650 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3466381594, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:13:48.253781 IP fedora.38652 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3214804727, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:14:04.125969 IP fedora.38650 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3466381594, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:14:04.637813 IP fedora.38652 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3214804727, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:14:36.381831 IP fedora.38650 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3466381594, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

14:14:36.893792 IP fedora.38652 > 239.237.117.34.bc.googleusercontent.com.https: Flags [S], seq 3214804727, win 65280, options [mss 1360,nop,nop,sackOK,nop,wscale 7], length 0

Solution

There was issue with xl2tpd services which was not in running state, starting xl2tpd service will issue

Answered By – Sonu Jaiswal

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published