Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 3624 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packet loss in OpenVPN tunnel when using NAT

ChrisH1
I have a dedicated virtual machine for OpenVPN UDP site-to-site connections behind an UTM.
If I connect the VM using NAT through the UTM (DNAT for the OpenVPN port to the VM's RFC1918 address and SNAT back out), I have consistently 5-15% packet loss in the tunnel.

If I connect the VM using an external IP routed through the UTM, the packet loss is gone.

CPU load on the UTM never exceeds 25%. Firewall logs show nothing interesting.

Ideas?


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to scorpionking
    IPS log?

    Sure enough (IPS is disabled, so I didn't think to look there):

    2015:08:17-15:46:04 H-GATE2 ulogd[4396]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth15" srcmac="44:8a:5b[:D]8:82:4f" dstmac="00:50:56:00:86:fa" srcip="188.195.***.yyy" dstip="78.47.***.yyy" proto="17" length="1473" tos="0x00" prec="0x00" ttl="116" srcport="1194" dstport="1196" 

    On which port and protocol do you use OpenVPN?

    UDP/1196.

    I have added an exception rule to the UDP flood protection and will see if that does the trick. 
    Thank you!
  • 0 in reply to ChrisH1
    IPS disabled does not mean fully disabled. Flood protection must be disabled separately.