213709 – Upgrade 10.3->11.0 (something blocks connections for openvpn)

Bug 213709 - Upgrade 10.3->11.0 (something blocks connections for openvpn)

Summary: Upgrade 10.3->11.0 (something blocks connections for openvpn)

Status:	Closed DUPLICATE of bug 207831

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	misc (show other bugs)
Version:	11.0-STABLE
Hardware:	amd64 Any

Importance:	--- Affects Many People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	regression

Depends on:
Blocks:

Reported:	2016-10-22 18:36 UTC by IPTRACE
Modified:	2019-03-31 01:38 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description IPTRACE 2016-10-22 18:36:52 UTC

After upgrade to 11.0-RELEASE something blocks connections between openvpn-client and openvpn-server etc.
I mean traffic after openvpn connection is established, so user can connect but has no traffic.
Only one connected user is forwarded/routed to destinations/other hosts etc. When the second and more users are connected there is no traffic for them.

Works: 10.3-RELEASE and openvpn-2.3.12_1
Doesn't work: 11.0-RELEASE and openvpn-2.3.12_1

I've disabled PF and it's not helped.
Client got vpn IP, dns, gateways etc.
Problem occured on two upgraded servers.
When I disconenct the first client, the second has no immediately traffic I have to reconnect.
It means only one client which first established connection is able to forward packets.

listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes
2016-10-22 19:53:53.391140 AF IPv4 (2), length 88: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 28711, seq 0, length 64
2016-10-22 19:53:53.392093 AF IPv4 (2), length 88: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 28711, seq 0, length 64
2016-10-22 19:53:54.418406 AF IPv4 (2), length 88: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 28711, seq 1, length 64
2016-10-22 19:53:54.418755 AF IPv4 (2), length 88: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 28711, seq 1, length 64
2016-10-22 19:53:55.407177 AF IPv4 (2), length 88: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 28711, seq 2, length 64
2016-10-22 19:53:55.407986 AF IPv4 (2), length 88: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 28711, seq 2, length 64
2016-10-22 19:54:00.114782 AF IPv4 (2), length 64: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1200, length 40
2016-10-22 19:54:04.993728 AF IPv4 (2), length 64: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1201, length 40
2016-10-22 19:54:09.991531 AF IPv4 (2), length 64: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1202, length 40

10.10.10.2-3 clients
10.0.0.16 destination
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
2016-10-22 20:10:30.375394 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 0, length 64
2016-10-22 20:10:30.375737 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 0, length 64
2016-10-22 20:10:31.345897 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 1, length 64
2016-10-22 20:10:31.346183 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 1, length 64
2016-10-22 20:10:32.353331 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 2, length 64
2016-10-22 20:10:32.353659 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 2, length 64
2016-10-22 20:10:33.386036 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 3, length 64
2016-10-22 20:10:33.386448 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 3, length 64
2016-10-22 20:10:34.375291 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 4, length 64
2016-10-22 20:10:34.375935 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 4, length 64
2016-10-22 20:10:35.374819 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 98: 10.10.10.2 > 10.0.0.16: ICMP echo request, id 58877, seq 5, length 64
2016-10-22 20:10:35.375371 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 98: 10.0.0.16 > 10.10.10.2: ICMP echo reply, id 58877, seq 5, length 64
2016-10-22 20:11:07.936758 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 74: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1208, length 40
2016-10-22 20:11:07.937176 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 74: 10.0.0.16 > 10.10.10.3: ICMP echo reply, id 1, seq 1208, length 40
2016-10-22 20:11:07.937250 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:09.671143 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:09.671239 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:09.671690 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:09.671708 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:09.694139 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:09.694168 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:09.695613 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:10.388725 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:12.508085 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 74: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1209, length 40
2016-10-22 20:11:12.508361 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 74: 10.0.0.16 > 10.10.10.3: ICMP echo reply, id 1, seq 1209, length 40
2016-10-22 20:11:12.508439 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:13.575831 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:13.608864 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:13.608944 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:13.609062 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:13.609082 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:15.297036 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:17.235472 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:17.514191 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 74: 10.10.10.3 > 10.0.0.16: ICMP echo request, id 1, seq 1210, length 40
2016-10-22 20:11:17.514610 00:a0:98:87:50:a5 > 00:a0:98:68:86:08, ethertype IPv4 (0x0800), length 74: 10.0.0.16 > 10.10.10.3: ICMP echo reply, id 1, seq 1210, length 40
2016-10-22 20:11:17.514707 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:17.609568 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:17.609662 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:17.609684 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:17.609694 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:17.609728 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:21.129764 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:21.608993 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36
2016-10-22 20:11:21.829625 00:a0:98:68:86:08 > 00:a0:98:87:50:a5, ethertype IPv4 (0x0800), length 70: 10.0.0.10 > 10.0.0.16: ICMP time exceeded in-transit, length 36


vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
ether 00:a0:98:68:86:08
inet 10.0.0.10 netmask 0xfffffe00 broadcast 10.0.1.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: active

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::2a0:98ff:fe68:8608%tun0 prefixlen 64 scopeid 0x3
inet 10.10.10.1 --> 10.10.10.2 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: tun
Opened by PID 690

Comment 1 guyyur 2016-10-24 10:28:48 UTC

Sounds like the same problem as in bug 207831

Check if the vpn network route on the server leads to lo0 instead of tun0.

Comment 2 IPTRACE 2016-10-25 14:53:55 UTC

Yes, that's the same problem.

BEFORE upgrade:
Internet:
Destination        Gateway            Flags      Netif Expire
default            10.0.0.2           UGS      vtnet0
10.0.0.0/23        link#1             U        vtnet0
10.0.0.10          link#1             UHS         lo0
---> 10.10.10.0/24      10.10.10.1         UGS        tun0
10.10.10.1         link#4             UHS         lo0
10.10.10.2         link#4             UH         tun0
10.10.11.0/24      10.0.1.10          UGS      vtnet0
127.0.0.1          link#2             UH          lo0

AFTER upgrade:
Internet:
Destination        Gateway            Flags     Netif Expire
default            10.0.0.2           UGS      vtnet0
10.0.0.0/23        link#1             U        vtnet0
10.0.0.10          link#1             UHS         lo0
---> 10.10.10.0/24      10.10.10.1         UGS         lo0
10.10.10.1         link#4             UHS         lo0
10.10.10.2         link#4             UH         tun0
10.10.11.0/24      10.0.1.10          UGS      vtnet0
127.0.0.1          link#2             UH          lo0

Comment 3 Renato Botelho freebsd_committer

2016-11-01 20:59:16 UTC


*** This bug has been marked as a duplicate of bug 207831 ***