You are not logged in.

#1 2019-08-17 12:36:57

LeMonsieurF
Member
Registered: 2019-08-17
Posts: 2

Kerio VPN client drops incoming packets

Hello everyone,

Installed Kerio control vpn client from AUR and everythink went fine during the install. Archlinux system is very clean, it's been installed for a couple of days only. kvnet interface goes up with no problem :

5: kvnet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether aa:db:c1:44:10:23 brd ff:ff:ff:ff:ff:ff
    inet 172.26.110.17/27 brd 172.26.110.31 scope global kvnet
       valid_lft forever preferred_lft forever
    inet6 fe80::c468:c7ae:1587:d26/64 scope link 
       valid_lft forever preferred_lft forever

Problem is that any kind of packets (ICMP, TCP) gets dropped when the answer is coming back. With tcpdump, I can see no issue on the round trip :

 $ ping 192.168.110.40 &
 $ sudo tcpdump -i kvnet -n 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on kvnet, link-type EN10MB (Ethernet), capture size 262144 bytes
19:23:27.669027 IP 172.26.110.17 > 192.168.110.40: ICMP echo request, id 8445, seq 1, length 64
19:23:27.703244 IP 192.168.110.40 > 172.26.110.17: ICMP echo reply, id 8445, seq 1, length 64

No answer, it looks like kernel or iptables is dropping packets. I haven't any special sysctl configuration, everything on the network side is vanilla. No iptables rule, in any table, with ACCEPT everywhere. Nothing particular in dmesg.

Nothing intersting in kerio debug log either :

[14/Aug/2019 19:26:10] {vpnClient} VPNClient[0001] - sending Q_KEEPALIVE message
[14/Aug/2019 19:26:10] {vpnCore} IP packet 172.26.110.17 -> 172.26.110.1 handled.
[14/Aug/2019 19:26:10] {vpnCore} IP packet 172.26.110.17 -> 172.26.110.1 handled.
[14/Aug/2019 19:26:10] {vpnClient} VPNClient[0001] - received R_KEEPALIVE message
[14/Aug/2019 19:26:15] {vpnCore} IP packet 172.26.110.17 -> 172.26.110.1 handled.
[14/Aug/2019 19:26:18] {vpnCore} IP packet 172.26.110.17 -> 172.26.110.1 handled.
[14/Aug/2019 19:26:18] {vpnCore} IP packet 172.26.110.17 -> 172.26.110.31 handled.
[14/Aug/2019 19:26:19] {vpnCore} IP packet 172.26.110.17 -> 172.26.110.1 handled.

I tried installing the package from AUR, but also directly from unpacking official deb file, same result. The very same packages were running fine on my old configuration (Xubuntu) last week, so I'm sure it's not a problem with the VPN server or the package itself.

Any idea of what investigation step I can perform to learn more about what's going on ?
Thank in advance for your help

Offline

#2 2020-02-14 10:22:47

oudesab
Member
From: Russia, Yekaterinburg
Registered: 2020-02-14
Posts: 2

Re: Kerio VPN client drops incoming packets

Hello. I have the same problem. Did you find a solution?
Version 9.3.4-3795 does not work either.

Last edited by oudesab (2020-02-14 10:25:12)

Offline

#3 2020-02-14 13:16:08

Zod
Member
From: Hoosiertucky
Registered: 2019-03-10
Posts: 629

Re: Kerio VPN client drops incoming packets

What is this?..

19:23:27.703244 IP 192.168.110.40 > 172.26.110.17: ICMP echo reply, id 8445, seq 1, length 64

Edit: I sure wish you people wouldn't do that.

Last edited by Zod (2020-02-14 13:28:10)

Offline

#4 2020-02-15 01:50:21

LeMonsieurF
Member
Registered: 2019-08-17
Posts: 2

Re: Kerio VPN client drops incoming packets

@oudesab : Haven't found any solution, I had to install an OpenVPN in the target infra to give me access. But Kerio is still there so I can continue testing.

@zod : Speak your mind, I don't see what can be wrong with this smile I may be missing something obvious.

Offline

#5 2020-02-15 06:36:16

oudesab
Member
From: Russia, Yekaterinburg
Registered: 2020-02-14
Posts: 2

Re: Kerio VPN client drops incoming packets

I configured the network through the installed in VM VirtualBox Ubuntu along with Kerio.
This works, but tcpdump does not output 'ICMP echo reply':

$ ping 192.168.2.182 > /dev/null &
$ sudo tcpdump -i kvnet -n 'icmp'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on kvnet, link-type EN10MB (Ethernet), capture size 262144 bytes
11:04:13.671753 IP 192.168.11.76 > 192.168.2.182: ICMP echo request, id 2, seq 19, length 64
11:04:14.685110 IP 192.168.11.76 > 192.168.2.182: ICMP echo request, id 2, seq 20, length 64
11:04:15.698399 IP 192.168.11.76 > 192.168.2.182: ICMP echo request, id 2, seq 21, length 64
11:04:16.711715 IP 192.168.11.76 > 192.168.2.182: ICMP echo request, id 2, seq 22, length 64

I don’t understand what is happening hmm

Maybe someone is obvious, but I have little experience with the network.
I would like to find a solution so as not to run often VM)

Last edited by oudesab (2020-02-15 06:40:14)

Offline

#6 2020-12-08 21:14:04

loiten
Member
Registered: 2020-12-08
Posts: 1

Re: Kerio VPN client drops incoming packets

Short: Packets from remote dropped by kernel because wrong MAC-address.
Long: On each login vpn client create new random MAC-address and say it to server. But client don't set that mac to kvnet interface. And if you look at packets incoming from remote, you can see that header contain MAC-address from debug.log. And, because destination and iface addresses not equal, it lead to dropped packets.

Offline

#7 2020-12-26 20:58:01

herrsausm
Member
Registered: 2020-12-26
Posts: 1

Re: Kerio VPN client drops incoming packets

loiten wrote:

Short: Packets from remote dropped by kernel because wrong MAC-address.
Long: On each login vpn client create new random MAC-address and say it to server. But client don't set that mac to kvnet interface. And if you look at packets incoming from remote, you can see that header contain MAC-address from debug.log. And, because destination and iface addresses not equal, it lead to dropped packets.

You are my personal hero. I'm not an Arch Linux user but Debian, and I was hit by the same issue when I upgraded from Stable to Testing. With your information the fix is easy, get the mac address from tcpdump and set it with

ip link set kvnet addr <mac>

I found another "solution" for me, which I do not understand. When I run the VPN client from the command line with strace, it works fine without any further work. It does set the mac address on the interface correctly. Running it from the command line without strace does not have this effect.

strace -f /usr/sbin/kvpncsvc /usr/lib/kerio-control-vpn

works, even when I cancel strace (detaching the process) with Ctrl-C.

I have posted a message to the GFI Forum at https://forums.gfi.com/index.php?t=thread&frm_id=4& (awaiting moderation) and I will ask my customer for approval to officially open a support ticket on his behalf.

Bernhard

Offline

Board footer

Powered by FluxBB