Hello Team,
I have an issue with my remote Proxmox Lab environment. I reach the lab over a Wireguard tunnel what is established between my local VYOS firewall and a remote Mikrotik router. I'm experiencing login issues to the web UI, however SSH access works perfectly. Also the Web UI is sometimes working sometimes not.
Another interesting fact is when I reboot the remote Proxmox server, login works better for 5 mins, but after it starts failing randomly with the following message:
I tried the following things:
1. I tried logging in and check the logs
It shows all the time the the auth is successful.
I have my root user deactivated, I only use custom admin users.
2. I opened a VNC session to another machine onsite, login works perfectly.
3. I removed all PBS storages, and firewall rules, also turned off firewall completely. It didn't help.
4. I have 2FA enabled, I tried to check NTP times, all looks ok. I also disabled 2FA, then it's a bit better but not perfect.
5. I suspect an MTU/MSS issue so I tried clamping the MSS + lower the MTU on both mikrotik and VYOS side - it didn't help.
6. I allowed all firewall between the 2 networks - also didn't help
So I picked up wireshark and made a packet capture of the connection. It seems that the client is sending ACKs to the server in every second. After the auth is successful the server wants to send a FIN,ACK, but that's treated as an invalid session by the mikrotik FW and/or the VYOS firewall and got dropped. It looks like that FIN,ACK part is treated as a new session by the firewalls, but I have no clue why:
Did anyone see similar problems? All ideas are highly appreciated!
I have an issue with my remote Proxmox Lab environment. I reach the lab over a Wireguard tunnel what is established between my local VYOS firewall and a remote Mikrotik router. I'm experiencing login issues to the web UI, however SSH access works perfectly. Also the Web UI is sometimes working sometimes not.
Another interesting fact is when I reboot the remote Proxmox server, login works better for 5 mins, but after it starts failing randomly with the following message:
I tried the following things:
1. I tried logging in and check the logs
Code:
● pvedaemon.service - PVE API Daemon
Loaded: loaded (/lib/systemd/system/pvedaemon.service; enabled; preset: enabled)
Active: active (running) since Sat 2025-03-22 18:47:13 CET; 18h ago
Main PID: 1165 (pvedaemon)
Tasks: 4 (limit: 19004)
Memory: 188.5M
CPU: 5.722s
CGroup: /system.slice/pvedaemon.service
├─1165 pvedaemon
├─1166 "pvedaemon worker"
├─1167 "pvedaemon worker"
└─1168 "pvedaemon worker"
Mar 22 20:01:13 sv-1 pvedaemon[1167]: <root@pam> successful auth for user 'user@pam'
Mar 22 20:03:23 sv-1 pvedaemon[1166]: <root@pam> successful auth for user 'user@pam'I have my root user deactivated, I only use custom admin users.
2. I opened a VNC session to another machine onsite, login works perfectly.
3. I removed all PBS storages, and firewall rules, also turned off firewall completely. It didn't help.
4. I have 2FA enabled, I tried to check NTP times, all looks ok. I also disabled 2FA, then it's a bit better but not perfect.
5. I suspect an MTU/MSS issue so I tried clamping the MSS + lower the MTU on both mikrotik and VYOS side - it didn't help.
6. I allowed all firewall between the 2 networks - also didn't help
So I picked up wireshark and made a packet capture of the connection. It seems that the client is sending ACKs to the server in every second. After the auth is successful the server wants to send a FIN,ACK, but that's treated as an invalid session by the mikrotik FW and/or the VYOS firewall and got dropped. It looks like that FIN,ACK part is treated as a new session by the firewalls, but I have no clue why:
Did anyone see similar problems? All ideas are highly appreciated!