![]() My plan is to try and re-upgrade the main site to 2.4.5 this Saturday and redo the packet captures once things stop working. I can try that if it turns out to be a fragmentation issue. The OpenVPN interface is not assigned on either end currently. That look OK? The remote sites use the same settings, except one site has the Firewall Optimization Options set to "High-latency" due to their internet connection type. This has been my config for as long as I can remember: One remote site is 2.4.5, the other is 2.4.4-p3, so it seems the deciding factor is the host/receiving end of the VPN. And with the VPN host on 2.4.4-p3, those packets get passed straight through untouched, and everything works.Īll sites were failing when the main site was upgraded to 2.4.5. Probably due to the size of the public certificates being sent. I can post the working packet capture if needed, but from what I can tell with WireShark, some of the RADIUS messages are larger than a single packet, so they get fragmented. If those are getting dropped or mis-assembled rather than just passed through, that would do Good points, thanks! I will pay close attention to those fragmented packets when I redo the test on the new version. ![]() I did notice on the working capture, some of the RADIUS messages are large enough they fragment, and carry all the way through the tunnel to the RADIUS server still fragmented. Traceroute from UniFi access point: BZ.v3.9.15# traceroute DC. ![]() Traceroute from Domain Controler / NPS / RADIUS server: PS C:\Users\DAVe3283> tracert UAP-AC-LR.Ģ 103 ms 112 ms 114 ms pfsense. I suspect some packets are being routed differently, dropped, or modified on the latest version that the previous version didn't touch. I can SSH in to the AP and ping the RADIUS server, and ping the AP from the RADIUS server regardless of pfSense version. I also see RADIUS activity start (but never succeed or fail) in the server log. I do see RADIUS connectivity in the states tables of both host and remote pfSense. ![]() When I update it to 2.4.5 WiFi authentication fails, and laptops try to connect over and over with no logged error (thanks Microsoft). When the host is on 2.4.4-p3, everything works fine. I can provide config specifics as needed. Both exhibit the same behavior, and only the main site (host) pfSense version seems to matter. I have 2 remote sites, one running 2.4.4-p3 and the other 2.4.5. Phones use username/password and that seems to break too.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |