I'm probably doing something incredibly stupid, but I just can't seem to figure out what. Here's what I'm trying to accomplish: I want remote users to be able to log into our network, so I set up a Windows 2008 Server as a VPN Server inside as a VM in XenCenter. Let's call him Benjamin. He's also doubling as a file server.
So far, what works:
- Remote VPN Login with Mac, Windows and iOS Clients
- Access to the file shares on Benjamin
- Ping to all hosts on the local network and on the internet, even with big packets (>1000 bytes)
What doesn't: I can't establish any TCP connection (SSH, HTTP, …) to hosts on the local network besides Benjamin itself. In Wireshark, I can see the SYN and SYN-ACKs on both the client and the computer I'm trying to reach, but there's never an ACK. (Funnily, in the Wireshark Logs I prepared there are some DUP ACKs for some reason - and they are exactly the wrong way around than how it should be. I have no idea why.)
There was a problem before with even pinging anything besides Benjamin, but I solved that by disabling IP checksum offloading on Benjamin (somehow it didn't work and then packets would be thrown away).
I tried setting really small MTUs on my client, setting the gateway to Benjamin on the computer in the internal network any lots of other stuff, but nothing helped.
I suspect it's some kind of routing issue, but those ACKs are nowhere to be found. Any ideas? Where should I investigate further? Thanks in advance!
Update: Weird thing I just discovered: When I try to ssh from the internal network into the VPN client, the client gets the SYN (I see it in Wireshark), but again, he never responds. I get the feeling that it has to be some configuration issue on the clients, but on all of them? And what could it be? There's no Firewall, and according to Wireshark, the packet looks valid (checksum and all). Does anyone know why it wouldn't respond to neither a SYN nor a SYN-ACK, when there's no firewall which could throw away those packets?
Update 2: To add to the confusion, I've just confirmed that using netcat and UDP, everything works correctly, in both directions (nc listening on internal network host and on the VPN client). Maybe TCP just doesn't like me anymore?
Here's some more information:
Local net: 172.17.0.0/16
Router: 172.17.0.1 (Port Forwarding TCP 1701, UDP 500 and 4500)
XenServer: 172.17.0.10
Benjamin: 172.17.1.1
VPN DHCP range: 172.17.7.1..240
Wireshark log on the client (172.17.7.2 when in the VPN):
No. Time Source Destination Protocol Length Info
1 0.000000 172.17.4.4 172.17.7.2 TCP 68 ssh > 61653 [SYN, ACK] Seq=0 Ack=0 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641695654 TSecr=440887504 SACK_PERM=1
Frame 1: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61653 (61653), Seq: 0, Ack: 0, Len: 0
No. Time Source Destination Protocol Length Info
2 5.337197 172.17.7.2 172.17.4.4 TCP 68 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887658 TSecr=0 SACK_PERM=1
Frame 2: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
3 5.479947 172.17.4.4 172.17.7.2 TCP 68 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641701208 TSecr=440887658 SACK_PERM=1
Frame 3: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
4 6.256638 172.17.7.2 172.17.4.4 TCP 68 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887667 TSecr=0 SACK_PERM=1
Frame 4: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
5 6.449901 172.17.4.4 172.17.7.2 TCP 56 [TCP Dup ACK 3#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641702152 TSecr=440887667
Frame 5: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
6 6.609908 172.17.4.4 172.17.7.2 TCP 68 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641702305 TSecr=440887667 SACK_PERM=1
Frame 6: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
7 7.258316 172.17.7.2 172.17.4.4 TCP 68 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887677 TSecr=0 SACK_PERM=1
Frame 7: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
8 7.450032 172.17.4.4 172.17.7.2 TCP 56 [TCP Dup ACK 6#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641703139 TSecr=440887677
Frame 8: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
9 8.259938 172.17.7.2 172.17.4.4 TCP 68 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887687 TSecr=0 SACK_PERM=1
Frame 9: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
10 8.490122 172.17.4.4 172.17.7.2 TCP 56 [TCP Dup ACK 6#2] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641704143 TSecr=440887687
Frame 10: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
11 9.249943 172.17.4.4 172.17.7.2 TCP 68 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641704904 TSecr=440887687 SACK_PERM=1
Frame 11: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
12 9.261766 172.17.7.2 172.17.4.4 TCP 68 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887697 TSecr=0 SACK_PERM=1
Frame 12: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
13 9.430047 172.17.4.4 172.17.7.2 TCP 56 [TCP Dup ACK 11#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641705119 TSecr=440887697
Frame 13: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
14 10.263852 172.17.7.2 172.17.4.4 TCP 68 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887707 TSecr=0 SACK_PERM=1
Frame 14: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
15 10.439839 172.17.4.4 172.17.7.2 TCP 56 [TCP Dup ACK 11#2] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641706132 TSecr=440887707
Frame 15: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
16 12.267344 172.17.7.2 172.17.4.4 TCP 68 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887727 TSecr=0 SACK_PERM=1
Frame 16: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
17 12.469629 172.17.4.4 172.17.7.2 TCP 56 [TCP Dup ACK 11#3] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641708126 TSecr=440887727
Frame 17: 56 bytes on wire (448 bits), 56 bytes captured (448 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
18 16.719912 172.17.4.4 172.17.7.2 TCP 68 ssh > 61653 [SYN, ACK] Seq=0 Ack=0 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641712353 TSecr=440887504 SACK_PERM=1
Frame 18: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61653 (61653), Seq: 0, Ack: 0, Len: 0
No. Time Source Destination Protocol Length Info
19 21.679611 172.17.4.4 172.17.7.2 TCP 68 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641717388 TSecr=440887727 SACK_PERM=1
Frame 19: 68 bytes on wire (544 bits), 68 bytes captured (544 bits)
Point-to-Point Protocol
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
Wireshark log in the computer in the local network (172.17.4.4):
No. Time Source Destination Protocol Length Info
1 0.000000 172.17.7.2 172.17.4.4 TCP 78 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887658 TSecr=0 SACK_PERM=1
Frame 1: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
2 0.000102 172.17.4.4 172.17.7.2 TCP 78 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641701208 TSecr=440887658 SACK_PERM=1
Frame 2: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
3 0.950403 172.17.7.2 172.17.4.4 TCP 78 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887667 TSecr=0 SACK_PERM=1
Frame 3: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
4 0.950567 172.17.4.4 172.17.7.2 TCP 66 [TCP Dup ACK 2#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641702152 TSecr=440887667
Frame 4: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
5 1.104130 172.17.4.4 172.17.7.2 TCP 78 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641702305 TSecr=440887667 SACK_PERM=1
Frame 5: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
6 1.940779 172.17.7.2 172.17.4.4 TCP 78 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887677 TSecr=0 SACK_PERM=1
Frame 6: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
7 1.940962 172.17.4.4 172.17.7.2 TCP 66 [TCP Dup ACK 5#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641703139 TSecr=440887677
Frame 7: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
8 2.950009 172.17.7.2 172.17.4.4 TCP 78 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887687 TSecr=0 SACK_PERM=1
Frame 8: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
9 2.950198 172.17.4.4 172.17.7.2 TCP 66 [TCP Dup ACK 5#2] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641704143 TSecr=440887687
Frame 9: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
10 3.714242 172.17.4.4 172.17.7.2 TCP 78 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641704904 TSecr=440887687 SACK_PERM=1
Frame 10: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
11 3.929627 172.17.7.2 172.17.4.4 TCP 78 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887697 TSecr=0 SACK_PERM=1
Frame 11: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
12 3.929819 172.17.4.4 172.17.7.2 TCP 66 [TCP Dup ACK 10#1] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641705119 TSecr=440887697
Frame 12: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
13 4.949931 172.17.7.2 172.17.4.4 TCP 78 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887707 TSecr=0 SACK_PERM=1
Frame 13: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
14 4.950122 172.17.4.4 172.17.7.2 TCP 66 [TCP Dup ACK 10#2] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641706132 TSecr=440887707
Frame 14: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
15 6.950093 172.17.7.2 172.17.4.4 TCP 78 61655 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1240 WS=8 TSval=440887727 TSecr=0 SACK_PERM=1
Frame 15: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec), Dst: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff)
Internet Protocol Version 4, Src: 172.17.7.2 (172.17.7.2), Dst: 172.17.4.4 (172.17.4.4)
Transmission Control Protocol, Src Port: 61655 (61655), Dst Port: ssh (22), Seq: 0, Len: 0
No. Time Source Destination Protocol Length Info
16 6.950281 172.17.4.4 172.17.7.2 TCP 66 [TCP Dup ACK 10#3] ssh > 61655 [ACK] Seq=1 Ack=1 Win=262140 Len=0 TSval=1641708126 TSecr=440887727
Frame 16: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
17 7.955752 172.17.4.4 172.17.7.2 TCP 78 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641709126 TSecr=440887727 SACK_PERM=1
Frame 17: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol Length Info
18 11.196585 172.17.4.4 172.17.7.2 TCP 78 ssh > 61653 [SYN, ACK] Seq=0 Ack=0 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641712353 TSecr=440887504 SACK_PERM=1
Frame 18: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61653 (61653), Seq: 0, Ack: 0, Len: 0
No. Time Source Destination Protocol Length Info
19 16.252632 172.17.4.4 172.17.7.2 TCP 78 ssh > 61655 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1060 WS=4 TSval=1641717388 TSecr=440887727 SACK_PERM=1
Frame 19: 78 bytes on wire (624 bits), 78 bytes captured (624 bits)
Ethernet II, Src: Apple_4e:5b:ff (c8:2a:14:4e:5b:ff), Dst: c6:4f:51:a3:48:ec (c6:4f:51:a3:48:ec)
Internet Protocol Version 4, Src: 172.17.4.4 (172.17.4.4), Dst: 172.17.7.2 (172.17.7.2)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: 61655 (61655), Seq: 0, Ack: 1, Len: 0
Potentially related server fault questions, but didn't help me so far:
I would start by taking a look at your masking. If the general hosts are in 172.17.0.0/16 and your VPN subnet is in 172.17.7.0/24 then it's entirely possible for there to be some uncertain connectivity situations.
A general host in 172.17.0.0/16 when sending a packet to a VPN host in 172.17.7.0/24 will attempt to ARP for the VPN host's address (rather than sending it to a gateway).
The VPN host, in turn, tries to send a frame to a host in the general subnet. It's going to send via its gateway. If this gateway is a member of both the /24 and the /16 then you've got a similar problem - either it's an illegal configuration or the packet is actually being bridged rather than routed.
It's possible you have proxy-arp configured - that would cause a routing device to answer ARP requests in the larger subnet for a host it has a route to, but this isn't clear from your posted materials.
It's also possible that you have bridging set up somewhere in the mix. This could yield some strange situations as a standard ARP would work in one direction but in the other some sort of gateway would be called upon to forward a nominally routed frame back out the receiving interface - which, again, might work in some circumstances but isn't good (nb - this could be a source of duplicate ACK's).
Can you put your VPN hosts in a non-overlapping subnet? Say give it a 172.18.x.x address and then configure routing between the gateway for this new subnet and the default gateway for 172.17.0.0/16? At a minimum this would make the whole thing simpler to troubleshoot and it very well might fix things.