Date: Thu, 23 Apr 2009 15:59:12 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: "BAD ICMP" message Message-ID: <200904231559.13059.max@love2party.net> In-Reply-To: <49EFF732.3010402@sebster.com> References: <49EFF732.3010402@sebster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 23 April 2009 07:05:54 Sebastiaan van Erk wrote: > Apr 23 06:58:38 vpn3 kernel: pf: loose state match: TCP > 10.0.80.150:51422 10.0.80.150:51422 10.0.80.4:22 [lo=3150927679 > high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0] > 2:0 A seq=3150927679 (3150927679) ack=0 len=0 ackskew=0 pkts=77:0 > Apr 23 06:58:38 vpn3 kernel: pf: BAD ICMP 5:1 10.0.80.77 -> 10.0.80.150 ^ These are ICMP redirect messages. This clearly suggests that something is very wrong with your routing. I assume your netmasks are wrong. It looks like 10.0.80.77 thinks that 10.0.80.150 can reach 10.0.80.4 directly which is not the case - it needs to route through 10.0.80.77. > state: TCP 10.0.80.4:22 10.0.80.4:22 10.0.80.150:51422 [lo=3150927679 > high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0] > 2:0 seq=3150927679 > > I see this message several times and the connection no longer works > after that. > > Does anybody know what's going on and how I can fix it? Use separate ip-ranges on either side of the vpn-router or combine vpn- endpoints from the same subnet in a bridge interface to allow direct communication between all members in one subnet. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904231559.13059.max>