[kbeaucha]

Hello:

I have a remote site where I'm having a problem with the OpenBSD network gateway I'm using there. This site is one of five that are all configured basically the same, and this site has been in service for many years. What we thought was a minor change has apparently caused a new problem.

The remote site's gateway forwards packets between its upstream port and its local network port. Most traffic comes in on enc0, because the gateway is one end of a point-to-point VPN tunnel set up using ipsec, but the upstream port is pingable and permits ssh logins.

For the longest time a Soekris 4801 ran the tunnel flawlessly.

A recent change put a new embedded controller behind this gateway. From the local network, you can log into the controller by telneting to port 1400, and the same port is used to push data back to a Macintosh on our main campus through the tunnel.

No changes were made to our remote ruleset to accommodate this move.

After we added this controller and Mac connection, we began to experience times when the upstream port at the remote site would become unresponsive. Data wasn't traversing the tunnel for anything behind the Soekris; I believe the tunnel was being dropped. The upstream port would not allow ssh logins and would not respond to pings.

Power-cycling the Soekris would bring everything back.

To eliminate the possibility that the Soekris was the cause, we replaced it with a (faster) PC Engines Alix unit. The problems seemed to go away for over a year, until last week, when the tunnel dropped again.

Due to some other problems I wasn't able to log into the Alix's serial port, but the upstream (and local network) ports still had link, and the admin for the switch that the upstream port was plugged into said he could see link and get the MAC address of the gateway. I am open to suggestions on what to look for if this should occur again to help resolve the problem.


tia
kmb