OpenVPN tunnel allways reconnects

hikmat

Hi People,

Please HELP, need urgent suggestion!!!

In Tashkent city (Uzbekistan) we have Pfsense 2.3.3.1 with 8 Openvpn services. One of them binded to 443 UDP in TUN Peer-to-Peer SSL/TLS and Public IP.
In Beijing city (China) we also have Pfsense 2.3.3.1 with Openvpn acting as client over ISP NAT router.
The client succesfully connects to the server , seems everything is working. Ping is here, we can see all devices on remote sites.
The problem is that  every N-time (5-10-30 minutes, each time different), the connection loss and client restarts tunnel. This time allways on-demand service can't work.
How to fugure the issue?

By the way, in this OpenVpn tunnel we can't ping IP of tunnels, although on the others one we can.
Both sites have according Rules/Openvpn where source=Local NETs + Tunnel Net pass all traffic to all destination.

---

Server Conf /var/etc/openvpn/server5.conf:

dev ovpns5
verb 4
dev-type tun
tun-ipv6
dev-node /dev/tun5
writepid /var/run/openvpn_server5.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 195.158.х.х
tls-server
server 10.0.100.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server5
ifconfig 10.0.100.1 10.0.100.2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn-server.mfa.uz' 1"
lport 443
management /var/etc/openvpn/server5.sock unix
push "route 172.30.30.176 255.255.255.240"
push "route 192.168.1.0 255.255.255.0"
route 192.168.45.0 255.255.255.0
route 192.168.46.0 255.255.255.0
ca /var/etc/openvpn/server5.ca 
cert /var/etc/openvpn/server5.cert 
key /var/etc/openvpn/server5.key 
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server5.crl-verify 
tls-auth /var/etc/openvpn/server5.tls-auth 0
persist-remote-ip
float
topology subnet 

Client override /var/etc/openvpn-csc/server5

iroute 192.168.45.0 255.255.255.0

Client Conf /var/etc/openvpn/client1.conf:

dev ovpnc1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.200.199
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote 195.158.х.х 443
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
resolv-retry infinite
remote-cert-tls server

**Client LOGS:

May 3 15:04:56 	openvpn 	94536 	Initialization Sequence Completed
May 3 15:04:56 	openvpn 	94536 	Preserving previous TUN/TAP instance: ovpnc1
May 3 15:04:54 	openvpn 	94536 	[vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.х.х:443
May 3 15:04:38 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 15:04:38 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:04:38 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:04:35 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 15:04:35 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 15:03:35 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 15:03:35 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:03:35 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:03:33 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 15:03:33 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 15:02:33 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 15:02:33 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:02:33 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:02:31 	openvpn 	94536 	SIGUSR1[soft,tls-error] received, process restarting
May 3 15:02:31 	openvpn 	94536 	TLS Error: TLS handshake failed
May 3 15:02:31 	openvpn 	94536 	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 3 15:01:37 	openvpn 	94536 	TLS Error: Unroutable control packet received from [AF_INET]195.158.х.х:443 (si=3 op=P_ACK_V1)
May 3 15:01:31 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 15:01:31 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:01:31 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:01:29 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 15:01:29 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 15:00:29 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 15:00:29 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 15:00:29 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 15:00:27 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 15:00:27 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:59:27 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:59:27 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:59:27 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:59:25 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:59:25 	openvpn 	94536 	[vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting
May 3 14:58:25 	openvpn 	94536 	[vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.х.х:443
May 3 14:58:11 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:58:11 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:58:11 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:58:09 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:58:09 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:57:09 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:57:09 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:57:09 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:57:07 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:57:07 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:56:07 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:56:07 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:56:07 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:56:05 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:56:05 	openvpn 	94536 	[vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting
May 3 14:34:33 	openvpn 	94536 	Initialization Sequence Completed
May 3 14:34:33 	openvpn 	94536 	Preserving previous TUN/TAP instance: ovpnc1
May 3 14:34:31 	openvpn 	94536 	[vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.х.х:443
May 3 14:34:27 	openvpn 	94536 	TLS Error: Unroutable control packet received from [AF_INET]195.158.х.х:443 (si=3 op=P_ACK_V1)
May 3 14:34:13 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:34:13 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:34:13 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:34:11 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:34:11 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:33:11 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:33:11 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:33:11 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:33:09 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:33:09 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:32:09 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:32:09 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:32:09 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:32:07 	openvpn 	94536 	SIGUSR1[soft,tls-error] received, process restarting
May 3 14:32:07 	openvpn 	94536 	TLS Error: TLS handshake failed
May 3 14:32:07 	openvpn 	94536 	TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 3 14:31:07 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:31:07 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:31:07 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:31:05 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:31:05 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:30:05 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:30:05 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:30:05 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:30:03 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:30:03 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:29:03 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:29:03 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:29:03 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:29:01 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:29:01 	openvpn 	94536 	[vpn-server.mfa.uz] Inactivity timeout (--ping-restart), restarting
May 3 14:21:39 	openvpn 	94536 	Initialization Sequence Completed
May 3 14:21:39 	openvpn 	94536 	Preserving previous TUN/TAP instance: ovpnc1
May 3 14:21:36 	openvpn 	94536 	[vpn-server.mfa.uz] Peer Connection Initiated with [AF_INET]195.158.х.х:443
May 3 14:21:28 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:21:28 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:21:28 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:21:26 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:21:26 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:20:26 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443
May 3 14:20:26 	openvpn 	94536 	UDPv4 link local (bound): [AF_INET]192.168.200.199
May 3 14:20:26 	openvpn 	94536 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 14:20:24 	openvpn 	94536 	SIGUSR1[soft,ping-restart] received, process restarting
May 3 14:20:24 	openvpn 	94536 	[UNDEF] Inactivity timeout (--ping-restart), restarting
May 3 14:19:23 	openvpn 	94536 	UDPv4 link remote: [AF_INET]195.158.х.х:443 

Server LOGS:

May 3 12:14:21 	openvpn 	33468 	I/O WAIT TR|Tw|SR|Sw [7/9931]
May 3 12:14:21 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=5 arg=0x00693598
May 3 12:14:21 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=7 arg=0x00693594
May 3 12:14:21 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=6 arg=0x00694740
May 3 12:14:21 	openvpn 	33468 	SCHEDULE: schedule_find_least wakeup=[Wed May 3 12:14:29 2017 us=9926] pri=2071388902
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 SCHEDULE: schedule_add_modify wakeup=[Wed May 3 12:14:29 2017 us=9926] pri=2042523469
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 RANDOM USEC=58507
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[undef]
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=3e08c98b 0f86ddcb, stored-sid=00000000 00000000, stored-ip=[undef]
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_process: timeout set to 1096
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 ACK reliable_send_timeout 604800 [6]
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 ACK reliable_can_send active=0 current=0 : [6]
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 STATE S_NORMAL_OP
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_process: chg=0 ks=S_NORMAL_OP lame=S_NORMAL_OP to_link->len=0 wakeup=1096
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_multi_process: i=0 state=S_NORMAL_OP, mysid=0f678122 b7f33cc8, stored-sid=af61d163 b797e3aa, stored-ip=[AF_INET]84.54.112.26:64383
May 3 12:14:21 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TIMER: coarse timer wakeup 7 seconds
May 3 12:14:21 	openvpn 	33468 	MULTI: REAP range 144 -> 160
May 3 12:14:21 	openvpn 	33468 	I/O WAIT status=0x0020
May 3 12:14:21 	openvpn 	33468 	event_wait returned 0
May 3 12:14:18 	openvpn 	33468 	I/O WAIT TR|Tw|SR|Sw [3/104880]
May 3 12:14:18 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=5 arg=0x00693598
May 3 12:14:18 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=7 arg=0x00693594
May 3 12:14:18 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=6 arg=0x00694740
May 3 12:14:18 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 UDPv4 write returned 165
May 3 12:14:18 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 UDPv4 WRITE [165] to [AF_INET]84.54.112.26:64383: P_DATA_V1 kid=2 DATA 6a49b95a 47d31a9e caa0eb92 df3bd156 c39da98a 884fd3ab 99dd6e71 2af1916[more...]
May 3 12:14:18 	openvpn 	33468 	I/O WAIT status=0x0002
May 3 12:14:18 	openvpn 	33468 	event_wait returned 1
May 3 12:14:18 	openvpn 	33468 	PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x00694740
May 3 12:14:18 	openvpn 	33468 	I/O WAIT Tr|Tw|Sr|SW [3/104880]
May 3 12:14:18 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=5 arg=0x00693598
May 3 12:14:18 	openvpn 	33468 	PO_CTL rwflags=0x0000 ev=7 arg=0x00693594
May 3 12:14:18 	openvpn 	33468 	PO_CTL rwflags=0x0002 ev=6 arg=0x00694740
May 3 12:14:18 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT TO: 884fd3ab 99dd6e71 2af1916b 62e91d17 50555648 b6a0102c b45f3ca5 4d564e2[more...]
May 3 12:14:18 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT FROM: 0000011a 45000077 bc520000 3f11d545 ac1e1ebe 0a001502 0035edf2 00633e5[more...]
May 3 12:14:18 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 ENCRYPT IV: 884fd3ab 99dd6e71 2af1916b 62e91d17
May 3 12:14:18 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TLS: tls_pre_encrypt: key_id=2
May 3 12:14:18 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TUN READ [119]
May 3 12:14:18 	openvpn 	33468 	GET INST BY VIRT: 10.0.21.2 -> kayumov.mfa.uz/84.54.112.26:64383 via 10.0.21.2
May 3 12:14:18 	openvpn 	33468 	read from TUN/TAP returned 119
May 3 12:14:18 	openvpn 	33468 	MULTI: REAP range 128 -> 144
May 3 12:14:18 	openvpn 	33468 	I/O WAIT status=0x0004
May 3 12:14:18 	openvpn 	33468 	event_wait returned 1
May 3 12:14:18 	openvpn 	33468 	PO_WAIT[1,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x00693594
May 3 12:14:17 	openvpn 	33468 	I/O WAIT TR|Tw|SR|Sw [4/104880]
May 3 12:14:17 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=5 arg=0x00693598
May 3 12:14:17 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=7 arg=0x00693594
May 3 12:14:17 	openvpn 	33468 	PO_CTL rwflags=0x0001 ev=6 arg=0x00694740
May 3 12:14:17 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 write to TUN/TAP returned 72
May 3 12:14:17 	openvpn 	33468 	kayumov.mfa.uz/84.54.112.26:64383 TUN WRITE [72]
May 3 12:14:17 	openvpn 	33468 	I/O WAIT status=0x0008 

```**

jameswebb

Sounds to me like an ISP firewall issue.
You may have to perform some form of header re-writing to get past DPI firewalls.

mixinocencio

Hi Everyone!
Im from Brazil and i have a some problem.
My CA restart in 30 minutes.

sent error in my client :

"Thu May 18 17:43:19 2017 [server-certificado] Inactivity timeout (–ping-restart), restarting
Thu May 18 17:43:19 2017 SIGUSR1[soft,ping-restart] received, process restarting
Thu May 18 17:43:19 2017 Restart pause, 2 second(s)
Thu May 18 17:43:21 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 18 17:43:21 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
"