Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-site VPN reconnects every couple of minutes

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 534 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sysoict
      last edited by

      Hi,

      I`ve a couple of OpenVPN servers running on PFsense. Some of them are of type 'remote access' and two are peer to peer (site-to-site)

      The remote access VPNs work very stable. Site-to-site not. On the server side I see that both are reconnecting every couple of minutes. They run a PFsense router as well. The Pfsenses on the client side show that they are connected for 8+ hours while on the server side Pfsense shows the real 'connected since' value.

      The reconnect only takes 1 or 2 seconds, but its quite annoying since RDP is routed over these tunnels.

      One client connects using ADSL (fixed IP) while the other connects over 4G (dynamic ip). Both clients have exactly the same issues.

      Any hints?

      Client log:

      
Jan 31 01:18:27	openvpn	14069	UDPv4 link remote: [AF_INET]80.82.72.17:1194
Jan 31 01:18:29	openvpn	14069	Peer Connection Initiated with [AF_INET]80.82.72.17:1194
Jan 31 01:18:30	openvpn	14069	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 31 01:18:30	openvpn	14069	Initialization Sequence Completed
Jan 31 01:18:31	openvpn	14069	PID_ERR replay-window backtrack occurred [1] [STATIC-0] [0_000000000000000000000000000111122__________] 1517357843:45 1517357843:44 t=1517357911[0] r=[-2,64,15,1,1] sl=[19,45,64,528]
Jan 31 01:18:31	openvpn	14069	PID_ERR replay-window backtrack occurred [2] [STATIC-0] [0__00000_0000000000000000000000000000000000000000000000000000000] 1517357843:83 1517357843:81 t=1517357911[0] r=[-2,64,15,2,1] sl=[45,64,64,528]
Jan 31 01:18:31	openvpn	14069	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 31 01:18:31	openvpn	14069	MANAGEMENT: CMD 'state 1'
Jan 31 01:18:31	openvpn	14069	MANAGEMENT: CMD 'status 2'
Jan 31 01:18:31	openvpn	14069	MANAGEMENT: Client disconnected
Jan 31 01:18:32	openvpn	14069	PID_ERR replay-window backtrack occurred [3] [STATIC-0] [0___000000000000000000000000000000000000000000000000000000000000] 1517357843:684 1517357843:681 t=1517357912[0] r=[-3,64,15,3,1] sl=[20,64,64,528]
Jan 31 01:50:55	openvpn	14069	PID_ERR replay-window backtrack occurred [4] [STATIC-0] [0____00000000000000000000000000000000000000000000000_00000000000] 1517360089:183 1517360089:179 t=1517359855[0] r=[-2,64,15,4,1] sl=[9,64,64,528]
Jan 31 02:04:24	openvpn	14069	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 31 02:04:24	openvpn	14069	MANAGEMENT: CMD 'state 1'
Jan 31 02:04:24	openvpn	14069	MANAGEMENT: CMD 'status 2'
Jan 31 02:04:24	openvpn	14069	MANAGEMENT: Client disconnected
Jan 31 02:11:39	openvpn	14069	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 31 02:11:39	openvpn	14069	MANAGEMENT: CMD 'state 1'
Jan 31 02:11:39	openvpn	14069	MANAGEMENT: CMD 'status 2'
Jan 31 02:11:39	openvpn	14069	MANAGEMENT: Client disconnected

      Server side:

      
Jan 31 01:41:22	openvpn	99595	UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
Jan 31 01:41:22	openvpn	99595	UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:41:22	openvpn	99595	Peer Connection Initiated with [AF_INET]143.179.6.63:8616
Jan 31 01:41:22	openvpn	73548	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:41:22	openvpn	73548	Re-using pre-shared static key
Jan 31 01:41:22	openvpn	73548	Preserving previous TUN/TAP instance: ovpns3
Jan 31 01:41:22	openvpn	73548	UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
Jan 31 01:41:22	openvpn	73548	UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:41:23	openvpn	99595	Initialization Sequence Completed
Jan 31 01:41:25	openvpn	99595	PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000111111111111111111111111] 1517357907:8568 1517357907:8561 t=1517359522[237] r=[234,64,15,7,1] sl=[24,64,64,528]
Jan 31 01:41:29	openvpn	73548	Peer Connection Initiated with [AF_INET]85.149.43.135:63558
Jan 31 01:41:29	openvpn	73548	Initialization Sequence Completed
Jan 31 01:41:32	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:41:32	openvpn	99595	MANAGEMENT: CMD 'state 1'
Jan 31 01:41:32	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:41:32	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:41:32	openvpn	73548	WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'
Jan 31 01:41:59	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:41:59	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:41:59	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:41:59	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:43:02	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:43:02	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:43:03	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:43:03	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:44:05	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:44:05	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:44:06	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:44:06	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:45:08	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:45:09	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:45:09	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:45:09	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:46:11	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:46:12	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:46:12	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:46:12	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:47:14	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:47:15	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:47:15	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:47:15	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:48:18	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:48:18	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:48:18	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:48:18	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:49:21	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:49:21	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:49:21	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:49:21	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:50:47	openvpn	99595	Inactivity timeout (--ping-restart), restarting
Jan 31 01:50:47	openvpn	99595	TCP/UDP: Closing socket
Jan 31 01:50:47	openvpn	99595	SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 01:50:47	openvpn	99595	Restart pause, 5 second(s)
Jan 31 01:50:48	openvpn	73548	Inactivity timeout (--ping-restart), restarting
Jan 31 01:50:48	openvpn	73548	SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 01:49:53	openvpn	99595	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:49:53	openvpn	99595	Re-using pre-shared static key
Jan 31 01:49:53	openvpn	99595	Preserving previous TUN/TAP instance: ovpns5
Jan 31 01:49:53	openvpn	99595	Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:396 ET:0 EL:3 ]
Jan 31 01:49:53	openvpn	99595	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.2 10.10.15.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jan 31 01:49:53	openvpn	99595	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.1 10.10.15.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jan 31 01:49:53	openvpn	99595	Socket Buffers: R=[42080->42080] S=[57344->57344]
Jan 31 01:49:53	openvpn	99595	UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
Jan 31 01:49:53	openvpn	99595	UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:49:53	openvpn	99595	Peer Connection Initiated with [AF_INET]143.179.6.63:8616
Jan 31 01:49:54	openvpn	99595	Initialization Sequence Completed
Jan 31 01:49:54	openvpn	73548	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:49:54	openvpn	73548	Re-using pre-shared static key
Jan 31 01:49:54	openvpn	73548	Preserving previous TUN/TAP instance: ovpns3
Jan 31 01:49:54	openvpn	73548	UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
Jan 31 01:49:54	openvpn	73548	UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:49:55	openvpn	73548	Peer Connection Initiated with [AF_INET]85.149.43.135:63558
Jan 31 01:49:55	openvpn	73548	Initialization Sequence Completed
Jan 31 01:49:55	openvpn	99595	PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000000000000000000000000000] 1517357907:11050 1517357907:11043 t=1517360091[296] r=[294,64,15,7,1] sl=[13,64,64,528]
Jan 31 01:49:55	openvpn	99595	PID_ERR replay-window backtrack occurred [8] [STATIC-0] [000000_0_0000000000000000000000000000000000000000000000000000000] 1517357907:11203 1517357907:11195 t=1517360091[296] r=[294,64,15,8,1] sl=[52,64,64,528]
Jan 31 01:50:04	openvpn	73548	WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'
Jan 31 01:50:24	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:50:24	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:50:24	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:50:24	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:51:27	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:51:27	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:51:27	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:51:27	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:52:30	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:52:30	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:52:30	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:52:30	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:53:33	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:53:33	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:53:34	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:53:34	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:54:36	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:54:37	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:54:37	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:54:37	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:55:39	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:55:40	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:55:40	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:55:40	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:56:43	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:56:43	openvpn	99595	MANAGEMENT: CMD 'status 2'
Jan 31 01:56:43	openvpn	99595	MANAGEMENT: CMD 'quit'
Jan 31 01:56:43	openvpn	99595	MANAGEMENT: Client disconnected
Jan 31 01:58:28	openvpn	73548	Inactivity timeout (--ping-restart), restarting
Jan 31 01:58:28	openvpn	73548	SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 01:58:28	openvpn	99595	Inactivity timeout (--ping-restart), restarting
Jan 31 01:58:28	openvpn	99595	TCP/UDP: Closing socket
Jan 31 01:58:28	openvpn	99595	SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 01:58:28	openvpn	99595	Restart pause, 5 second(s)
Jan 31 01:57:34	openvpn	99595	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:57:34	openvpn	99595	Re-using pre-shared static key
Jan 31 01:57:34	openvpn	99595	Preserving previous TUN/TAP instance: ovpns5
Jan 31 01:57:34	openvpn	99595	Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:396 ET:0 EL:3 ]
Jan 31 01:57:34	openvpn	99595	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.2 10.10.15.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jan 31 01:57:34	openvpn	99595	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.1 10.10.15.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jan 31 01:57:34	openvpn	99595	Socket Buffers: R=[42080->42080] S=[57344->57344]
Jan 31 01:57:34	openvpn	99595	UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
Jan 31 01:57:34	openvpn	99595	UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:57:34	openvpn	73548	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:57:34	openvpn	73548	Re-using pre-shared static key
Jan 31 01:57:34	openvpn	73548	Preserving previous TUN/TAP instance: ovpns3
Jan 31 01:57:34	openvpn	73548	UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
Jan 31 01:57:34	openvpn	73548	UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:57:36	openvpn	99595	Peer Connection Initiated with [AF_INET]143.179.6.63:8616
Jan 31 01:57:36	openvpn	99595	Initialization Sequence Completed
Jan 31 01:57:37	openvpn	99595	PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000000000000000000000000111] 1517357907:13601 1517357907:13594 t=1517360612[355] r=[354,64,15,7,1] sl=[37,64,64,528]
Jan 31 01:57:43	openvpn	73548	Peer Connection Initiated with [AF_INET]85.149.43.135:63558
Jan 31 01:57:43	openvpn	73548	Initialization Sequence Completed

      PID 995595 = client with 4G
      PID 73547 = client with ADSL

      1 Reply Last reply Reply Quote 0
      • S
        sysoict
        last edited by

        I also see that the 'Connected since' time is ahead of the PFsense time. The time show correctly for the OpenVPN servers that are setup as 'remote access'

        Does anyone have a clue?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.