13 Jul
2017
13 Jul
'17
1:26 p.m.
The strange thing is that ping works ok when TCP
doesn't connect.
My first suspicion would be a stateful firewall, but I'm sure you
checked that. Could it be a TTL problem? I'm just guessing here.
The TTL of the inside IP packet is 63. I first traced on the external interface
and saw the encapsulated packet, then I traced on the tunl0 interface and saw
the decapsulated packet (same without the outer IP header), and it all looks OK.
I see the SYN going out,the SYN ACK coming in, but nothing more (ACK should go out).
The firewall is stateful but I added an explicit accept for -s 44.0.0.1 at the
top of all the rules to make sure it is not that. Also, I reset the firewall and
watched the counters, did not see any packets being dropped.
And indeed, ping works OK. It is strange. Maybe something is wrong due to the
gateway external address change, although I would not know what could produce
the above scenario. The system is up for about a year, maybe I should try
rebooting it. (usually this brings nothing when I try it... it isn't Windows :-)
Of course sometime it will become clear how this can be explained.
Rob