[Vpn-help] SSH connection hang with beta 2
Matthew Grooms
mgrooms at shrew.net
Sun May 6 23:02:58 CDT 2007
Tai-hwa Liang wrote:
> On Sat, 5 May 2007, Matthew Grooms wrote:
>
> I do have a "scrub in all" in my default pf.conf; furthermore, if I read
> the man page correctly, this implies "scrub in all fragment reassemble,"
> which doesn't work for me.
>
Yes, I believe you are right.
>
> After a few trial-and-error, it appears to me that using max-mss 552
> as suggested in aforementioned link works better:
>
> scrub in fragment reassemble max-mss 552
>
> I presume that 1440 still hangs the VPN client because we are using
> 540 as the default packet size. With this new pf setting, the chance
> that I run into a hanging connection turns out to be fewer than before.
>
I am in the process of rewriting the 2.0 client documentation. I removed
support for packet pre-fragmentation some time ago. The fragment size
option in the client configuration now only refers to IKE fragmentation.
Sorry for the confusion.
> However, the concurrent "ping -t vpn.lan.address" session returns
> different result in comparied to the old pf settings; that is, in the
> old "scrub in all" configuration, I can still see ICMP replies in
> another window even the primary ssh connection hangs. On the other hand,
> in the "max-mss" configuration, "ping -t" simply returns "Request timed
> out" whilst the ssh
> connection is hanging. Meanwhilst, any ping request sends to VPN server
> will timeout.
>
With the mss clamping enabled on the firewall, you shouldn't experience
any hangs at all due to fragmentation issues with tcp communications. I
will do some testing and try to reproduce the issue.
I know you said the 1.1 version of the client worked better in this
regard. Did you still experience ssh session hangs from time to time?
Thanks,
-Matthew
More information about the vpn-help
mailing list