[Vpn-help] SSH connection hang with beta 2

Matthew Grooms mgrooms at shrew.net
Sun May 6 23:02:58 CDT 2007

Tai-hwa Liang wrote:
> On Sat, 5 May 2007, Matthew Grooms wrote:
>   I do have a "scrub in all" in my default pf.conf; furthermore, if I read
> the man page correctly, this implies "scrub in all fragment reassemble,"
> which doesn't work for me.

Yes, I believe you are right.

>   After a few trial-and-error, it appears to me that using max-mss 552
> as suggested in aforementioned link works better:
>     scrub in fragment reassemble max-mss 552
>   I presume that 1440 still hangs the VPN client because we are using
> 540 as the default packet size.  With this new pf setting, the chance
> that I run into a hanging connection turns out to be fewer than before.

I am in the process of rewriting the 2.0 client documentation. I removed 
support for packet pre-fragmentation some time ago. The fragment size 
option in the client configuration now only refers to IKE fragmentation. 
Sorry for the confusion.

>   However, the concurrent "ping -t vpn.lan.address" session returns
> different result in comparied to the old pf settings; that is, in the 
> old "scrub in all" configuration, I can still see ICMP replies in 
> another window even the primary ssh connection hangs. On the other hand, 
> in the "max-mss" configuration, "ping -t" simply returns "Request timed 
> out" whilst the ssh
> connection is hanging.  Meanwhilst, any ping request sends to VPN server
> will timeout.

With the mss clamping enabled on the firewall, you shouldn't experience 
any hangs at all due to fragmentation issues with tcp communications. I 
will do some testing and try to reproduce the issue.

I know you said the 1.1 version of the client worked better in this 
regard. Did you still experience ssh session hangs from time to time?



More information about the vpn-help mailing list