Skip to main content

connectivity troubleshooting

NAS Connectivity Troubleshooting

Master Configuration: /Volumes/AgentPlatform/repos/bare/blueflyio/config.json

Tokens Used: All IPs, domains, paths reference master config.json tokens. See master config.json for authoritative values.

Issue: CrowdStrike Falcon Throttling Tailscale SMB Connections

Symptoms

  • NAS connection drops intermittently
  • Extremely high latency (2000-3000ms ping times vs expected <10ms)
  • SMB mount failures with "server not available" errors
  • Tailscale shows "relay" connection instead of "direct"
  • dmesg logs show repeated ES_AUTH_RESULT_DENY messages

Root Cause

CrowdStrike Falcon Endpoint Security inspects and throttles SMB traffic over Tailscale VPN, causing:

  • Packet inspection delays (2-3 seconds per packet)
  • Connection timeouts
  • Mount point disconnections

Solution: Split Configuration Strategy

Use local network IP on home machines, Tailscale for remote access.

For Machines on Local Network (192.168.68.x)

Add NAS hostname to /etc/hosts to bypass Tailscale:

# Add local IP resolution
echo "192.168.68.60 blueflyNAS blueflyNAS.local" | sudo tee -a /etc/hosts

# Flush DNS cache (macOS)
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder

# Flush DNS cache (Linux)
sudo systemd-resolve --flush-caches  # systemd-resolved
sudo service nscd restart            # nscd

Result: Forces blueflyNAS to resolve to local IP, bypassing Tailscale and CrowdStrike throttling.

Latency improvement:

  • Before: 2000-3000ms (via Tailscale with CrowdStrike inspection)
  • After: 10-60ms (direct local network)

For Remote/Traveling Machines

Do NOT add hosts entry. Let Tailscale handle routing:

  • Accept higher latency as necessary for remote access
  • Connection goes through Tailscale with CrowdStrike inspection
  • Still functional, just slower

Verification

# Test latency before fix (via Tailscale)
ping -c 5 100.104.119.76
# Expected: 2000-3000ms latency

# Test latency after fix (via local network)
ping -c 5 blueflyNAS
# Expected: 10-60ms latency

# Verify mount
mount | grep AgentPlatform
# Should show: //bluefly@blueflyNAS/AgentPlatform on /Volumes/AgentPlatform

# Test NAS access speed
time ls $NAS_MOUNT/repos/bare/blueflyio/
# Expected: <1 second

Architecture Decision

Why Split Configuration?

  1. Network-aware routing: Each machine uses optimal path
  2. No single point of failure: Local and remote access both work
  3. No CrowdStrike reconfiguration needed: Workaround at network layer
  4. Maintainable: Set once, works forever

Trade-offs:

Pros:

  • Fast local access (no CrowdStrike throttling)
  • Works across all machines (home and remote)
  • No IT department approvals needed
  • Tailscale still available as fallback

Cons:

  • Different configuration per machine type
  • Must remember which machines have hosts entry
  • Remote access still throttled (but functional)

Alternative Solutions Considered

1. Whitelist Tailscale in CrowdStrike

Status: Requires corporate IT approval Risk: May violate security policies Result: Not pursued

2. Disable CrowdStrike

Status: Not possible (corporate requirement) Risk: Security policy violation Result: Not feasible

3. Use Different VPN

Status: Would require rebuilding network infrastructure Risk: High effort, same CrowdStrike throttling likely Result: Not worth effort

4. NFS Instead of SMB

Status: Tested, NFS exports empty Risk: SMB-only NAS configuration Result: Not available

Maintenance

When to Update:

  1. NAS IP changes (unlikely with DHCP reservation)

    # Find new IP
arp -a | grep -i synology

# Update /etc/hosts
sudo sed -i '' 's/192.168.68.60/NEW_IP_HERE/' /etc/hosts
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder

  2. New machine setup

    • Local network machine: Add hosts entry
    • Remote machine: Skip hosts entry

  3. Traveling with local machine

    • Hosts entry harmless when away from home
    • Falls back to Tailscale automatically

Technical Details

NAS Information:

  • Model: Synology DS224+
  • Local IP: 192.168.68.60 (DHCP reservation)
  • Tailscale IP: 100.104.119.76
  • Tailscale hostname: $TAILSCALE_HOSTNAME
  • Share name: AgentPlatform
  • Protocol: SMB (port 445)

Network Configuration:

  • Local network: 192.168.68.0/24
  • Tailscale network: 100.64.0.0/10
  • Router: 192.168.68.1

CrowdStrike Falcon:

  • Product: CrowdStrike Falcon Sensor
  • Version: 7.33/205.03
  • Type: Endpoint Security Extension
  • Behavior: Deep packet inspection on all network traffic

Related Documentation

Issue History

  • 2026-01-26: Issue identified and resolved with hosts file workaround
  • Observed behavior: 2000-3000ms latency via Tailscale, 10-60ms via local network
  • Root cause: CrowdStrike Falcon endpoint security throttling Tailscale traffic

Support

If you encounter this issue:

  1. Verify symptoms: Check latency with ping 100.104.119.76
  2. Check CrowdStrike: Look for ES_AUTH_RESULT_DENY in system logs
  3. Apply workaround: Add hosts entry if on local network
  4. Document: Update this wiki page if new patterns emerge

Status: Active workaround in production Last Updated: 2026-01-31 (DRY audit - tokens added) Maintainer: Infrastructure team