OpenVPN client using 100% of the processor [SOLVED]

serialdie

@cmb:

The problem serialdie described was fixed in some 2.1.x release and is definitely different from OP's described scenario.

You need to go forward, not backward. Try 2.2 and see if it still happens. Running an OpenVPN client vulnerable to Heartbleed connecting out as a client to some untrusted source is nuts. No one under any circumstance should be running 2.1 nor 2.1.1 on account of Heartbleed.

Thanks for the clarification cmb.

Regards.

stephenw10

I notice the gateways are in the 10.X.X.X subnet. Have they always been? Perhaps there was some routing issue there. The remote IPs are not in that subnet.
I recently had to change the monitoring IP on my home connection after some upgrade my ISP made rendered their gateway unpingable.  >:( Hard to see how that relates to updating pfSense though. Perhaps your VPN provider sees the differing SSL versions and puts you in a subnet with all the other heartbleed vulnerables!  ;)

Steve

killerb81

Haha. Well I hope that's not the case.

Their gateway addresses have always been in the 10.x.x.x range from what I can remember.

killerb81

So I may have spoke too soon.

It was running all day with no issues after I did the auto-update to 2.1.5 (x32) under relatively low internet use (I was at work all day).
When I got home I decided to do a fresh install using the x64 version of 2.1.5. I made the same change to it (turned off gateway monitoring for my VPNs) then went and watched some TV.

Came back just now and the processor was at 57% (one core @ 100%) and had been that way for almost two hours according to the RRD graph.

Nothing in the gateway logs, and messages like these in the OpenVPN logs:

Nov 10 20:10:34 openvpn[88844]: /sbin/route add -net 10.125.1.1 10.125.1.5 255.255.255.255
Nov 10 20:10:34 openvpn[88844]: Initialization Sequence Completed
Nov 10 20:15:25 openvpn[88844]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Nov 10 20:15:25 openvpn[88844]: MANAGEMENT: CMD 'state 1'
Nov 10 20:15:25 openvpn[88844]: MANAGEMENT: CMD 'status 2'
Nov 10 20:15:25 openvpn[88844]: MANAGEMENT: Client disconnected
Nov 10 20:15:25 openvpn[55911]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Nov 10 20:15:25 openvpn[55911]: MANAGEMENT: CMD 'state 1'
Nov 10 20:15:25 openvpn[55911]: MANAGEMENT: CMD 'status 2'
Nov 10 20:15:25 openvpn[55911]: MANAGEMENT: Client disconnected

I'm not sure what it means by client disconnected as both tunnels are still up and running fine.

Any ideas?  Starting to get frustrated with this one.

serialdie

@killerb81:

So I may have spoke too soon.

It was running all day with no issues after I did the auto-update to 2.1.5 (x32) under relatively low internet use (I was at work all day).
When I got home I decided to do a fresh install using the x64 version of 2.1.5. I made the same change to it (turned off gateway monitoring for my VPNs) then went and watched some TV.

Came back just now and the processor was at 57% (one core @ 100%) and had been that way for almost two hours according to the RRD graph.

Nothing in the gateway logs, and messages like these in the OpenVPN logs:

Nov 10 20:10:34 openvpn[88844]: /sbin/route add -net 10.125.1.1 10.125.1.5 255.255.255.255
Nov 10 20:10:34 openvpn[88844]: Initialization Sequence Completed
Nov 10 20:15:25 openvpn[88844]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Nov 10 20:15:25 openvpn[88844]: MANAGEMENT: CMD 'state 1'
Nov 10 20:15:25 openvpn[88844]: MANAGEMENT: CMD 'status 2'
Nov 10 20:15:25 openvpn[88844]: MANAGEMENT: Client disconnected
Nov 10 20:15:25 openvpn[55911]: MANAGEMENT: Client connected from /var/etc/openvpn/client2.sock
Nov 10 20:15:25 openvpn[55911]: MANAGEMENT: CMD 'state 1'
Nov 10 20:15:25 openvpn[55911]: MANAGEMENT: CMD 'status 2'
Nov 10 20:15:25 openvpn[55911]: MANAGEMENT: Client disconnected

I'm not sure what it means by client disconnected as both tunnels are still up and running fine.

Any ideas?  Starting to get frustrated with this one.

This is what happens to me with one of my VPN end points and what causes my CPU spikes as well.
Basically you are loosing your connection and the system is trying to reconnect and than it establish the connection which by than your CPU should go down on utilization.

killerb81

Thing is, I didn't loose my connection.
As a test, I started streaming Netflix on my desktop that was routed through one of those tunnels.

On my other screen I was watching the "System Activity" screen in pfSense.

Netflix connected and started streaming. As it started to stream the "OpenVPN –config" process started climbing the list of % processor usage.
It got to 100% of the core it was using then stayed there, even after I shut down Netflix and anything else that was using the connection.

That's where it sat... at 100%.

serialdie

I am going to BumP this thread.

I have this same issue and is causing major cpu spikes.

killerb81

I went back to 2.1.1.. it's the only release I've tried that doesn't have this issue.
I'll try 2.2 when it's stable… until then it looks like it'll have to do.

nadir.latif

Hi,

We had problems with high cpu. enabling device polling reduced the cpu from 80% to 40%. you may want to read this post. https://forum.pfsense.org/index.php?topic=77963.msg462019#msg462019

Nadir Latif

serialdie

@nadir.latif:

Hi,

We had problems with high cpu. enabling device polling reduced the cpu from 80% to 40%. you may want to read this post. https://forum.pfsense.org/index.php?topic=77963.msg462019#msg462019

Nadir Latif

That's not recommended.
My issue has stabilized after I worked with my traffic shapers.

killerb81

bump.

:(

I upgraded to 2.3.1 -p5 and the issue is back.
I even reinstalled completely after I saw the issue come back… it was working fine for a long time and then... bam - back.

Does anyone have any deffinitive solutions for this?  Would be greatly appreciated.

Thing is, I don't lose my connections - they're still connected and working fine.  The CPU spikes and the temperature starts rising.
I have to restart the OpenVPN Client services to get it to calm down.

killerb81

@serialdie

What exactly did you do to your traffic shaping to resolve the issue?
I too have traffic shaping configured.

killerb81

So, it's interesting.. but I shut off my traffic shaping and the issue seems to have stopped.

Does anyone know why this might be?

killerb81

*** SOLVED ***  (I think)

So after having my traffic shaper turned off for a day, the problem has not been seen.
I'm not sure WHY this is, after all, it was the OpenVPN process that was using all the CPU.

I did a little digging into my traffic shaper before turning it off and noticed that it wasn't setup how I originally configured it.
I had previously set it up using HFSC ques, but just before turning it off I noticed it was using CBQ based ques and some of the other settings had been changed.

I could be wrong, but I think during an update of pfSense these settings somehow got changed… because that's when I noticed the VPN processes ramping up, right after an update.
In the next few days I'm going to setup my traffic shaper again from scratch and see what happens... I'll post back here after I do some testing.

Thanks to all!

alecp

I was just monitoring my firewall after a power outage and found this issue.
I removed the simple traffic-shaper I recently put in place for VoIP and the CPU usage fell to sensible numbers.
I tried putting the shaper back (CBQ) with the wizard but the openvpn usage went back to 100%, so it is not fixed

2.3.1-RELEASE-p5 (amd64)