Não há conexões TCP para hosts atrás do servidor VPN (SYN, SYN-ACK, mas nenhum ACK), UDP, ICMP funciona

Question

Não há conexões TCP para hosts atrás do servidor VPN (SYN, SYN-ACK, mas nenhum ACK), UDP, ICMP funciona

#1 resposta do (1 votos)

3

Eu provavelmente estou fazendo algo incrivelmente estúpido, mas eu simplesmente não consigo descobrir o que. Aqui está o que eu estou tentando realizar: Eu quero que os usuários remotos possam entrar em nossa rede, então eu configurei um Windows 2008 Server como um servidor VPN dentro de uma VM no XenCenter. Vamos chamá-lo de Benjamin. Ele também está dobrando como servidor de arquivos.

Até agora, o que funciona:

Login remoto da VPN com clientes Mac, Windows e iOS
Acesso aos compartilhamentos de arquivos em Benjamin
Efetue ping para todos os hosts na rede local e na Internet, mesmo com pacotes grandes (> 1000 bytes)

O que não: Não consigo estabelecer qualquer conexão TCP (SSH, HTTP, ...) para hosts na rede local além do próprio Benjamin. No Wireshark, posso ver os SYN e os SYN-ACKs no cliente e no computador que estou tentando acessar, mas nunca há um ACK. (Engraçadamente, nos registros do Wireshark eu preparei alguns DUP ACKs por algum motivo - e eles são exatamente o caminho errado do que como deveria ser. Eu não tenho idéia do porque.)

Houve um problema antes mesmo de pingar qualquer coisa além de Benjamin, mas resolvi isso desabilitando o descarregamento de checksum de IP em Benjamin (de alguma forma não funcionava e então os pacotes eram descartados).

Eu tentei configurar MTUs realmente pequenas no meu cliente, configurando o gateway para o Benjamin no computador na rede interna com muitas outras coisas, mas nada ajudou.

Eu suspeito que seja algum tipo de problema de roteamento, mas esses ACKs não estão em nenhum lugar. Alguma ideia? Onde devo investigar mais? Obrigado antecipadamente!

Atualizar : Coisa estranha que acabei de descobrir: Quando eu tento ssh da rede interna para o cliente VPN, o cliente obtém o SYN (eu o vejo no Wireshark), mas, novamente, ele nunca responde. Tenho a sensação de que tem que haver algum problema de configuração nos clientes, mas em todos deles? E o que poderia ser? Não há Firewall e, de acordo com o Wireshark, o pacote parece válido (checksum e todos). Alguém sabe por que ele não responderia nem a um SYN nem a um SYN-ACK, quando não há um firewall que possa jogar fora esses pacotes?

Atualização 2 : Para aumentar a confusão, acabei de confirmar que usando netcat e UDP , tudo funciona corretamente, em ambas as direções (nc escutando no host da rede interna e no cliente VPN). Talvez o TCP simplesmente não goste mais de mim?

Veja mais algumas informações:

Local net:   172.17.0.0/16
Router:     172.17.0.1 (Port Forwarding TCP 1701, UDP 500 and 4500)
XenServer:  172.17.0.10
Benjamin:   172.17.1.1
VPN DHCP range: 172.17.7.1..240

Wireshark faz o login no cliente (172.17.7.2 quando na VPN):

No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    172.17.4.4            172.17.7.2            TCP      68     ssh > 61653 [SYN, ACK] Seq=0 Ack=0 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641695654 TSecr=440887504 SACK_PERM=1

Frame 1: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61653 (61653), Seq: 0, Ack: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      2 5.337197    172.17.7.2            172.17.4.4            TCP      68     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887658 TSecr=0 SACK_PERM=1

Frame 2: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      3 5.479947    172.17.4.4            172.17.7.2            TCP      68     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641701208 TSecr=440887658 SACK_PERM=1

Frame 3: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      4 6.256638    172.17.7.2            172.17.4.4            TCP      68     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887667 TSecr=0 SACK_PERM=1

Frame 4: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      5 6.449901    172.17.4.4            172.17.7.2            TCP      56     [TCP Dup ACK 3#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641702152 TSecr=440887667

Frame 5: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      6 6.609908    172.17.4.4            172.17.7.2            TCP      68     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641702305 TSecr=440887667 SACK_PERM=1

Frame 6: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      7 7.258316    172.17.7.2            172.17.4.4            TCP      68     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887677 TSecr=0 SACK_PERM=1

Frame 7: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      8 7.450032    172.17.4.4            172.17.7.2            TCP      56     [TCP Dup ACK 6#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641703139 TSecr=440887677

Frame 8: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      9 8.259938    172.17.7.2            172.17.4.4            TCP      68     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887687 TSecr=0 SACK_PERM=1

Frame 9: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     10 8.490122    172.17.4.4            172.17.7.2            TCP      56     [TCP Dup ACK 6#2] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641704143 TSecr=440887687

Frame 10: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     11 9.249943    172.17.4.4            172.17.7.2            TCP      68     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641704904 TSecr=440887687 SACK_PERM=1

Frame 11: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     12 9.261766    172.17.7.2            172.17.4.4            TCP      68     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887697 TSecr=0 SACK_PERM=1

Frame 12: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     13 9.430047    172.17.4.4            172.17.7.2            TCP      56     [TCP Dup ACK 11#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641705119 TSecr=440887697

Frame 13: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     14 10.263852   172.17.7.2            172.17.4.4            TCP      68     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887707 TSecr=0 SACK_PERM=1

Frame 14: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     15 10.439839   172.17.4.4            172.17.7.2            TCP      56     [TCP Dup ACK 11#2] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641706132 TSecr=440887707

Frame 15: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     16 12.267344   172.17.7.2            172.17.4.4            TCP      68     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887727 TSecr=0 SACK_PERM=1

Frame 16: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     17 12.469629   172.17.4.4            172.17.7.2            TCP      56     [TCP Dup ACK 11#3] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641708126 TSecr=440887727

Frame 17: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     18 16.719912   172.17.4.4            172.17.7.2            TCP      68     ssh > 61653 [SYN, ACK] Seq=0 Ack=0 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641712353 TSecr=440887504 SACK_PERM=1

Frame 18: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61653 (61653), Seq: 0, Ack: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     19 21.679611   172.17.4.4            172.17.7.2            TCP      68     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641717388 TSecr=440887727 SACK_PERM=1

Frame 19: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

Wireshark efetua login no computador na rede local (172.17.4.4):

No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    172.17.7.2            172.17.4.4            TCP      78     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887658 TSecr=0 SACK_PERM=1

Frame 1: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      2 0.000102    172.17.4.4            172.17.7.2            TCP      78     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641701208 TSecr=440887658 SACK_PERM=1

Frame 2: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      3 0.950403    172.17.7.2            172.17.4.4            TCP      78     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887667 TSecr=0 SACK_PERM=1

Frame 3: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      4 0.950567    172.17.4.4            172.17.7.2            TCP      66     [TCP Dup ACK 2#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641702152 TSecr=440887667

Frame 4: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      5 1.104130    172.17.4.4            172.17.7.2            TCP      78     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641702305 TSecr=440887667 SACK_PERM=1

Frame 5: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      6 1.940779    172.17.7.2            172.17.4.4            TCP      78     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887677 TSecr=0 SACK_PERM=1

Frame 6: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      7 1.940962    172.17.4.4            172.17.7.2            TCP      66     [TCP Dup ACK 5#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641703139 TSecr=440887677

Frame 7: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      8 2.950009    172.17.7.2            172.17.4.4            TCP      78     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887687 TSecr=0 SACK_PERM=1

Frame 8: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
      9 2.950198    172.17.4.4            172.17.7.2            TCP      66     [TCP Dup ACK 5#2] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641704143 TSecr=440887687

Frame 9: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     10 3.714242    172.17.4.4            172.17.7.2            TCP      78     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641704904 TSecr=440887687 SACK_PERM=1

Frame 10: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     11 3.929627    172.17.7.2            172.17.4.4            TCP      78     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887697 TSecr=0 SACK_PERM=1

Frame 11: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     12 3.929819    172.17.4.4            172.17.7.2            TCP      66     [TCP Dup ACK 10#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641705119 TSecr=440887697

Frame 12: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     13 4.949931    172.17.7.2            172.17.4.4            TCP      78     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887707 TSecr=0 SACK_PERM=1

Frame 13: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     14 4.950122    172.17.4.4            172.17.7.2            TCP      66     [TCP Dup ACK 10#2] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641706132 TSecr=440887707

Frame 14: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     15 6.950093    172.17.7.2            172.17.4.4            TCP      78     61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887727 TSecr=0 SACK_PERM=1

Frame 15: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     16 6.950281    172.17.4.4            172.17.7.2            TCP      66     [TCP Dup ACK 10#3] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641708126 TSecr=440887727

Frame 16: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     17 7.955752    172.17.4.4            172.17.7.2            TCP      78     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641709126 TSecr=440887727 SACK_PERM=1

Frame 17: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     18 11.196585   172.17.4.4            172.17.7.2            TCP      78     ssh > 61653 [SYN, ACK] Seq=0 Ack=0 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641712353 TSecr=440887504 SACK_PERM=1

Frame 18: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61653 (61653), Seq: 0, Ack: 0, Len: 0

No.     Time        Source                Destination           Protocol Length Info
     19 16.252632   172.17.4.4            172.17.7.2            TCP      78     ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641717388 TSecr=440887727 SACK_PERM=1

Frame 19: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0

Questões de falha de servidor potencialmente relacionadas, mas que não me ajudaram até agora:

O gateway PPTP roteia o icmp, mas não o http

SNAT através da VPN IPSec Racoon

O Linux não consegue interpretar o ACK, continua a reenviar o SYN + ACK

vpn routing windows-server-2008-r2 tcp l2tp

por zakharov 23.05.2012 / 19:25

1 resposta

Tags vpn routing windows-server-2008-r2 tcp l2tp

SQL 2008 R2: Parâmetros Data \ Log Problemas ao iniciar o autossh no boot [ubuntu]

score 1 · Answer 1

Eu começaria dando uma olhada no seu mascaramento. Se os hosts gerais estiverem em 172.17.0.0/16 e sua sub-rede VPN estiver em 172.17.7.0/24, é perfeitamente possível que haja algumas situações de conectividade incertas.

Um host geral em 172.17.0.0/16 ao enviar um pacote para um host VPN em 172.17.7.0/24 tentará ARP para o endereço do host VPN (em vez de enviá-lo para um gateway).

O host VPN, por sua vez, tenta enviar um quadro para um host na sub-rede geral. Vai enviar via seu gateway. Se este gateway é um membro tanto do / 24 quanto do / 16, então você tem um problema parecido - ou é uma configuração ilegal ou o pacote está sendo conectado em vez de roteado.

É possível que você tenha o proxy-arp configurado - isso faria com que um dispositivo de roteamento respondesse a solicitações de ARP na sub-rede maior de um host para o qual tivesse uma rota, mas isso não está claro nos materiais postados.

Também é possível que você tenha uma configuração em ponte em algum lugar da mixagem. Isso poderia gerar algumas situações estranhas, pois um ARP padrão funcionaria em uma direção, mas no outro algum tipo de gateway seria chamado para encaminhar um quadro roteado de volta à interface de recepção - o que, novamente, poderia funcionar em algumas circunstâncias, mas não bom (nb - isso pode ser uma fonte de ACKs duplicados).

Você pode colocar seus hosts VPN em uma sub-rede não sobreposta? Digamos que ele forneça um endereço 172.18.x.xe, em seguida, configure o roteamento entre o gateway para essa nova sub-rede e o gateway padrão para 172.17.0.0/16? No mínimo, isso tornaria tudo mais simples para solucionar problemas e muito bem poderia consertar as coisas.