dropping UDP packets in openconnect VPN
David Woodhouse
dwmw2 at infradead.org
Tue Aug 16 16:53:31 EDT 2011
On Tue, 2011-08-16 at 13:45 -0700, er0ck wrote:
> Hi all.
>
> i'm having really poor AFS performance over our VPN, and i
> discovered that it seems to be dropping/losing all UDP packets inside
> the VPN tunnel
>
> I'm not sure if the VPN connection is TCP nor UDP as i'm not sure
> how i can tell.
If openconnect says 'DTLS connection established' then it's over UDP. If
not, it's over TCP. Running tcpdump on your real Ethernet/wireless and
looking at the traffic between you and the VPN server would confirm.
It *probably* shouldn't matter.
> here is its ifconfig:
> tun0 Link encap:UNSPEC HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> inet addr:<mineIP> P-t-P:<hostIP> Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1406 Metric:1
> RX packets:4998 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6518 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:1747448 (1.6 MiB) TX bytes:1678564 (1.6 MiB)
>
>
> all i know is that it appears to drop all UDP packets if i do a
> traceroute -U to any host inside the VPN.
So if you tcpdump on the tun0 interface, you see your host attempting to
send UDP packets, but you see no responses?
This sounds like it's broken firewalling on the VPN server side, really.
Unless you have a stupid firewall of your own, but tcpdump on tun0 would
eliminate that.
Can you send UDP packets from a host *on* the network, to your VPN IP
address? Do they show up in your tcpdump?
The VPN client doesn't handle anything above the IP layer; it doesn't
even know if it's sending TCP or UDP packets. The issue really can't lie
in the VPN connection itself.
--
dwmw2
More information about the openconnect-devel
mailing list