On Mon, Dec 3, 2012 at 5:57 PM, Wade Blackwell <[email protected]> wrote: > Good afternoon all, > So I have 3 sites in a full mesh IPsec VPN. 2 of those sites are PF > 2.1-BETA0 (nov 1) and the other is m0n0wall 1.33. Tunnel that is currently > affected traverses one PF and the m0n0. I have disabled hardware checksum > offload, hardware TCP segmentation offload and hardware large receive > offload. I'm seeing a high number of the 0x0000 checksums (50+ percent) and > I believe this is causing an AD domain join to fail over the VPN. No traffic > filtering over the tunnels or on the interfaces where these hosts live, wide > open between one another. Packet capture attached, any insight would be > fabulous. Thanks all.
The direction that has null checksums is normal for hardware checksum offloading being enabled, from that capture it's not actually disabled. I suspect that's not a problem at all. It's far more likely you're having issues because of large packets not getting through. Enabling MSS clamping on the VPN traffic (System>Advanced in pfSense, impossible to do in m0n0wall but as long as it's only one endpoint that may be ok) will work around such scenarios. If that's not it, my next guess is Windows firewall, or an AD DNS problem. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
