Retransmissions over fortigate ipsec vpn
I am troubleshooting a print delay/pausing issue over a vpn. Printers are on one side of the tunnel, the application is on the other. printers randomly stop and start printing. Only thing i am seeing on the packet caps is dups/retransmissions but cannot figure out why
here is a link to the pcap - link text
Have you looked at the details on those packets?
Try setting the display filter to tcp.stream == 1 and the Time Display Format to Seconds since previous displayed packet.
Now look at these packets again and see that every packet is repeated with a very short delay. Let's call these 'pairs'. Now look at the IP layer of these packet pairs, in particular the Time To Live. You'll notice that in each pair these differ by 1. So either two packets appear at the interface via their own route, or the capture setup is such that the ingress and egress packets are captured.
And what's happening with these MAC addresses being 00:00:00:00:00:00?
The capture was taken from the fortigates sniffer from one side of the tunnel. There is only one route
Can you make a capture to a working printer to compare?
Can you make a capture near the printer to see if it receiving and responding to the LPR packet from the client?
This Red Hat Bugzilla has nothing to do with the issue but does have a pcap attached to it showing a full LPD TCP conversation.
So, looking at this it would be interesting to know what drag sniffer packet command you actually used. And assuming you used fgt2eth.pl you got a pcap file with everything in it. If you were sniffing on 'any' interface that would explain a lot.
I retook the capture from a span port on the same switch. capfile below - notice the big pause @ timestamp12:02:27 https://www.mediafire.com/file/fc22ls...