Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN clients flip status each 120 seconds

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 647 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dims
      last edited by

      I am connecting to two OpenVPN servers with OpenVPN clients of pfSense.

      Connections work, but each 120 seconds they turn from available to unavailable and back. I.e. ping works for 120 seconds, then it stops working and doesn't work for 120 seconds, then it turns working again and so on.

      Each period lasts 120 seconds very precisely.

      Log is following:

      
[server] Inactivity timeout (--ping-restart), restarting
SIGUSR1[soft,ping-restart] received, process restarting
Restart pause, 2 second(s)
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Socket Buffers: R=[42080->42080] S=[57344->57344]
UDPv4 link local (bound): [AF_INET]MY.SE.RV.ER
UDPv4 link remote: [AF_INET]MY.SE.RV.ER:1194
TLS: Initial packet from [AF_INET]MYSERVER:1194, sid=e1f19b04 500620f5
VERIFY OK: ...
VERIFY OK: ...
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32\. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32\. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]MY.SE.RV.ER:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,route-gateway 10.11.0.1,ping 10,ping-restart 120,ifconfig 10.11.0.34 255.255.255.0'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
Preserving previous TUN/TAP instance: ovpnc5
Initialization Sequence Completed
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Sounds like what you get when you have two clients connecting to the same server using the same credentials and have duplicate connections disabled.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          dims
          last edited by

          You were probably right!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.