FAST_IPSEC(?) drops packets?

To: tech-net%netbsd.org@localhost
Subject: FAST_IPSEC(?) drops packets?
From: Dave Huang <khym%azeotrope.org@localhost>
Date: Fri, 25 Feb 2011 18:46:59 -0600

I'm seeing a strange problem, but I don't really know where it's comingfrom :( I have a router running NetBSD-current/i386 as of Feb 11, 2011with FAST_IPSEC, but it seems like not every packet that comes in getssent out through the IPsec tunnel.

I ran tcpdump to capture packets on both the internal and externalinterfaces of the router, then had Wireshark decrypt the ESP packets onthe external side and compared the two packet dumps. They match up fineat first, but then:

On the internal IF (10.1.1.66 is a machine on my side of the tunnel,10.2.1.3 is on the other side):


[...]

10.2.1.3 10.1.1.66 TCP rsync > 62564 [PSH, ACK] Seq=4128Ack=79 Win=65471 Len=139810.2.1.3 10.1.1.66 TCP rsync > 62564 [ACK] Seq=5526 Ack=79Win=65471 Len=139810.1.1.66 10.2.1.3 TCP 62564 > rsync [ACK] Seq=84 Ack=6924Win=65532 Len=0*10.1.1.66 10.2.1.3 TCP 62564 > rsync [ACK] Seq=84 Ack=6924Win=65532 Len=1460*10.1.1.66 10.2.1.3 TCP 62564 > rsync [PSH, ACK] Seq=1544Ack=6924 Win=65532 Len=146010.2.1.3 10.1.1.66 TCP rsync > 62564 [PSH, ACK] Seq=6924Ack=79 Win=65471 Len=130010.2.1.3 10.1.1.66 TCP rsync > 62564 [PSH, ACK] Seq=8224Ack=84 Win=65466 Len=139810.1.1.66 10.2.1.3 TCP 62564 > rsync [ACK] Seq=3004 Ack=9622Win=65532 Len=0


Decrypted ESP packets on the external IF:

10.2.1.3 10.1.1.66 TCP rsync > 62564 [PSH, ACK] Seq=4128Ack=79 Win=65471 Len=139810.2.1.3 10.1.1.66 TCP rsync > 62564 [ACK] Seq=5526 Ack=79Win=65471 Len=139810.1.1.66 10.2.1.3 TCP 62564 > rsync [ACK] Seq=84 Ack=6924Win=65532 Len=010.2.1.3 10.1.1.66 TCP rsync > 62564 [PSH, ACK] Seq=6924Ack=79 Win=65471 Len=130010.2.1.3 10.1.1.66 TCP rsync > 62564 [PSH, ACK] Seq=8224Ack=84 Win=65466 Len=139810.1.1.66 10.2.1.3 TCP [TCP Previous segment lost] 62564 >rsync [ACK] Seq=3004 Ack=9622 Win=65532 Len=0

So the router saw those two packets marked with the *, but why didn't itencrypt them and send them out the tunnel?

I had been running 5.1_STABLE with "regular" IPSEC up until Feb 11, anddidn't have any problems. I'm not exactly sure when this startedhappening though, so I'm not certain that the upgrade had anything to dowith it... the tunnel mostly works fine, but occasionally TCPconnections will stall and close.

If there's any more info that would be helpful for figuring out what'sgoing on, let me know :)

Follow-Ups:
- Re: FAST_IPSEC(?) drops packets?
  - From: Dave Huang

Prev by Date: Re: possible bug when deleting a route during if_detach
Next by Date: Re: FAST_IPSEC(?) drops packets?
Previous by Thread: possible bug when deleting a route during if_detach
Next by Thread: Re: FAST_IPSEC(?) drops packets?
Indexes:

Home | Main Index | Thread Index | Old Index