<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: RE: Keeping CIPE link Up
From: "Les Mikesell" <lesmikesell,AT,home,DOT,com>
Date: Fri, 3 Aug 2001 18:43:25 +0200
In-reply-to: <3B6974DA.F5E5DD37@linux-no-limits.com>

I recently installed a CIPE endpoint behind
a NAT firewall (where the NAT was not dynamic
and shouldn't be an issue for CIPE) and saw
that the box behind the firewall could initiate
a connection and for some short time the return
packets would be allowed.  After a few seconds
of idle time the other end could not start a
new connection through the tunnel.   The firewall
was only allowing the return UDP packets to pass
for a short time after one had been sent.  This
doesn't exactly match your description, but it
may be some similar 'stateful' behavior in the
firewalls so be sure your netcat tests used the
same udp ports and had similar timing before
deciding they are not the problem.

 Les Mikesell

-----Original Message-----
From: owner-cipe-l,AT,inka,DOT,de [mailto:owner-cipe-l,AT,inka,DOT,de Behalf 
Scott Sharkey
Sent: Thursday, August 02, 2001 10:42 AM
Cc: cipe-l,AT,inka,DOT,de
Subject: Re: Keeping CIPE link Up

More info on my problems with a CIPE VPN...

In my last message, I mentioned that I had two RH 7.1 boxes, each
running 1.4.5 CIPE.  They were behind firewalls, and had been working,
but periodically timing out.  Well, recently the behaviour changed.

NOW, they are not working.  But the circumstances are wierd.  If I ping
from one end of the CIPE pipe to the other (doesn't matter in which
direction), exactly one ping get's through round-trip.  The opposite
side sees all the pings, and is apparently responding.  But only the
first packet is actually getting through.

I took down the CIPE, and tried netcat on the two ends, and I can
communication using it, with either end being the "server",
so I don't think it's a firewall issue.

Any ideas or suggestions?  Remember, at one time this was working
fine.  No patches have been installed on either machine, and the
machine configurations have not been changed.  The firewall guys
claim that they have made no changes, but I cannot verify that.


Message sent by the cipe-l,AT,inka,DOT,de mailing list.
Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
Other commands available with "help" in body to the same address.
CIPE info and list archive:

<< | Thread Index | >> ]    [ << | Date Index | >> ]