Remote sensor not sending logs :(Failed to connect to backoff):

[lugashisnotafed]

Hey everyone,
I'm having an issue similar to what I've seen a few users have, but the resolution was fixed with IPTABLES and DNATing.

Which I guess makes sense but I'm not sure how or why.
Here's my issue.
New AWS deployment, trying ot pull logs from on prem as well. All ports allowed in security groups from site ip (just in case) but we are using vpn. We are going with wireguard because it's simple. Setup looks like this:

SITE 1 SENSOR ------->Wireguardgateway ------>Manager

Sensor can ping join all that fun stuff with manager, everything is green, devices is on grid yadda yadda, but the logs are not being sent via filebate/logstash. I've confirmed Suricata is generating alerts and Zeek is pulling metadata. I did the telnet thing ports appear to be open so it doesn't appear to be a routing/fw issue but I have to admit I'm not exactly an elk pro.

I'm getting the errors below from the filebeat logs
.
Any guidance would be greatly appreciated

Manager:

2022-06-07T18:07:19.228Z        WARN    [cfgwarn]       registered_domain/registered_domain.go:61       BETA: The registered_domain processor is beta.
2022-06-07T18:28:11.564Z        ERROR   [logstash]      logstash/async.go:280   Failed to publish events caused by: EOF
2022-06-07T18:28:11.566Z        ERROR   [logstash]      logstash/async.go:280   Failed to publish events caused by: client is not connected
2022-06-07T18:28:12.946Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:180  failed to publish events: client is not connected

Sensor:

2022-06-07T18:31:56.122Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(async(tcp://prdonionmaster:5644)): read tcp 172.17.0.10:52078->10.100.0.173:5644: read: connection reset by peer
2022-06-07T18:32:46.456Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(async(tcp://prdonionmaster:5644)): read tcp 172.17.0.10:52090->10.100.0.173:5644: read: connection reset by peer
2022-06-07T18:33:30.925Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(async(tcp://prdonionmaster:5644)): read tcp 172.17.0.10:52154->10.100.0.173:5644: read: connection reset by peer
2022-06-07T18:34:14.519Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(async(tcp://prdonionmaster:5644)): read tcp 172.17.0.10:52202->10.100.0.173:5644: read: connection reset by peer
2022-06-07T18:35:03.178Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(async(tcp://prdonionmaster:5644)): read tcp 172.17.0.10:52244->10.100.0.173:5644: read: connection reset by peer

Thanks

[lugashisnotafed]

UPDATE:
Resolved the issue.
Changed mss on the VPN gateway and filebeat worked.
Came to the conclusion after doing packet capture and seeing tons of transmission requests and broken coms.
Hope this helps someone down the road.

[ebdavison]

what did you change the MSS from/to?