OpenVPN disconnections
-
Hi,
I'm running pfSense 2.0.1 i386, and several site-to-site OpenVPN tunnels are configured : pfSense "A" is client and pfSenses "B", "C" and "D" are servers.
OpenVPN is configured the following way :
- Server Mode : Peer to Peer (shared key)
- Protocol : UDP
- Device mode : tun
I'm experiencing disconnections with all OpenVPN tunnels, and there is no pattern with date and time.
system.log on the client pfSense indicates :
Mar 23 09:20:00 goldorak apinger: ALARM: VPNSD(172.21.23.1) *** down *** Mar 23 09:20:00 goldorak apinger: ALARM: VPNSD(172.21.23.1) *** down *** Mar 23 09:20:10 goldorak check_reload_status: Reloading filter Mar 23 09:20:10 goldorak check_reload_status: Reloading filter Mar 23 09:20:18 goldorak apinger: alarm canceled: VPNSD(172.21.23.1) *** down *** Mar 23 09:20:18 goldorak apinger: alarm canceled: VPNSD(172.21.23.1) *** down *** Mar 23 09:20:28 goldorak check_reload_status: Reloading filter Mar 23 09:20:28 goldorak check_reload_status: Reloading filter Mar 23 09:20:32 goldorak php: : Sending HUP signal to 47122 Mar 23 09:20:32 goldorak ipfw-classifyd: Reloading config... Mar 23 09:20:32 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 09:21:00 goldorak php: : Sending HUP signal to 47122 Mar 23 09:21:00 goldorak ipfw-classifyd: Reloading config... Mar 23 09:21:00 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 09:21:13 goldorak php: : Sending HUP signal to 47122 Mar 23 09:21:13 goldorak ipfw-classifyd: Reloading config... Mar 23 09:21:13 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 09:21:28 goldorak php: : Sending HUP signal to 47122 Mar 23 09:21:28 goldorak ipfw-classifyd: Reloading config... Mar 23 09:21:28 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 09:26:01 goldorak apinger: ALARM: VPNAU(172.21.24.1) *** down *** Mar 23 09:26:01 goldorak apinger: ALARM: VPNAU(172.21.24.1) *** down *** Mar 23 09:26:01 goldorak apinger: alarm canceled: VPNAU(172.21.24.1) *** down *** Mar 23 09:26:01 goldorak apinger: alarm canceled: VPNAU(172.21.24.1) *** down *** Mar 23 09:26:11 goldorak check_reload_status: Reloading filter Mar 23 09:26:11 goldorak check_reload_status: Reloading filter Mar 23 09:26:42 goldorak php: : Sending HUP signal to 47122 Mar 23 09:26:42 goldorak ipfw-classifyd: Reloading config... Mar 23 09:26:42 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 09:26:57 goldorak php: : Sending HUP signal to 47122 Mar 23 09:26:57 goldorak ipfw-classifyd: Reloading config... Mar 23 09:26:57 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 09:39:07 goldorak kernel: arp: 192.168.39.81 moved from 02:00:c0:a8:27:13 to 62:58:8e:91:cb:7e on vr0 Mar 23 09:59:07 goldorak kernel: arp: 192.168.39.81 moved from 62:58:8e:91:cb:7e to 02:00:c0:a8:27:13 on vr0 Mar 23 09:59:07 goldorak kernel: arp: 192.168.39.81 moved from 02:00:c0:a8:27:13 to 62:58:8e:91:cb:7e on vr0 Mar 23 10:03:56 goldorak apinger: ALARM: VPNBR(172.21.22.1) *** down *** Mar 23 10:03:56 goldorak apinger: ALARM: VPNBR(172.21.22.1) *** down *** Mar 23 10:04:01 goldorak apinger: alarm canceled: VPNBR(172.21.22.1) *** down *** Mar 23 10:04:01 goldorak apinger: alarm canceled: VPNBR(172.21.22.1) *** down *** Mar 23 10:04:06 goldorak check_reload_status: Reloading filter Mar 23 10:04:06 goldorak check_reload_status: Reloading filter Mar 23 10:04:38 goldorak php: : Sending HUP signal to 47122 Mar 23 10:04:38 goldorak ipfw-classifyd: Reloading config... Mar 23 10:04:38 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 10:04:52 goldorak php: : Sending HUP signal to 47122 Mar 23 10:04:52 goldorak ipfw-classifyd: Reloading config... Mar 23 10:04:53 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 10:19:06 goldorak kernel: arp: 192.168.39.81 moved from 62:58:8e:91:cb:7e to 02:00:c0:a8:27:13 on vr0 Mar 23 10:19:06 goldorak kernel: arp: 192.168.39.81 moved from 02:00:c0:a8:27:13 to 62:58:8e:91:cb:7e on vr0 Mar 23 10:32:33 goldorak kernel: ovpnc2: promiscuous mode enabled Mar 23 10:32:40 goldorak kernel: ovpnc2: promiscuous mode disabled Mar 23 10:33:11 goldorak kernel: ovpnc2: promiscuous mode enabled Mar 23 10:33:11 goldorak kernel: ovpnc2: promiscuous mode disabled Mar 23 10:33:20 goldorak kernel: ovpnc2: promiscuous mode enabled Mar 23 10:39:03 goldorak kernel: arp: 192.168.39.81 moved from 62:58:8e:91:cb:7e to 02:00:c0:a8:27:13 on vr0 Mar 23 10:39:03 goldorak kernel: arp: 192.168.39.81 moved from 02:00:c0:a8:27:13 to 62:58:8e:91:cb:7e on vr0 Mar 23 10:39:22 goldorak apinger: ALARM: VPNSD(172.21.23.1) *** down *** Mar 23 10:39:22 goldorak apinger: ALARM: VPNSD(172.21.23.1) *** down *** Mar 23 10:39:32 goldorak check_reload_status: Reloading filter Mar 23 10:39:32 goldorak check_reload_status: Reloading filter Mar 23 10:39:35 goldorak apinger: alarm canceled: VPNSD(172.21.23.1) *** down *** Mar 23 10:39:35 goldorak apinger: alarm canceled: VPNSD(172.21.23.1) *** down *** Mar 23 10:39:45 goldorak check_reload_status: Reloading filter Mar 23 10:39:45 goldorak check_reload_status: Reloading filter Mar 23 10:40:33 goldorak php: : Sending HUP signal to 47122 Mar 23 10:40:33 goldorak ipfw-classifyd: Reloading config... Mar 23 10:40:33 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 10:41:00 goldorak php: : Sending HUP signal to 47122 Mar 23 10:41:00 goldorak ipfw-classifyd: Reloading config... Mar 23 10:41:00 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 10:41:25 goldorak php: : Sending HUP signal to 47122 Mar 23 10:41:25 goldorak ipfw-classifyd: Reloading config... Mar 23 10:41:25 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq) Mar 23 10:42:13 goldorak php: : Sending HUP signal to 47122 Mar 23 10:42:13 goldorak ipfw-classifyd: Reloading config... Mar 23 10:42:13 goldorak ipfw-classifyd: Loaded Protocol: rtp (rule altq)
Whereas system.log on pfSense OpenVPN servers doesn't indicate any problem with VPN.
I captured traffic on the WAN and ovpncX / ovpnsX interfaces during the disconnections :
- On the WAN interfaces everything is fine. Apinger doesn't raise any alarm (WAN gateways are monitored) and I can see bidirectionnal OpenVPN UDP traffic during the OpenVPN disconnection on both WAN interfaces.
- On the ovpnsX servers' interfaces, I can see tunneled traffic arriving from ovpncX, and traffic being sent to OpenVPN client's ovpncX interfaces.
- On the ovpncX client's interfaces, I can see that tunneled traffic is sent to ovpnsX, but no traffic is arriving from ovpnsX.
Any ideas of possible reasons for this ?
Regards,
Romain
-
This issue is solved.
My ISP at this time claimed the problem wasn't on his side.
Since I wasn't able to find a solution, I changed the ISP.Now, I don't experience these disconnections anymore :-)