Site-to-site VPN reconnects every couple of minutes
-
Hi,
I`ve a couple of OpenVPN servers running on PFsense. Some of them are of type 'remote access' and two are peer to peer (site-to-site)
The remote access VPN
s work very stable. Site-to-site not. On the server side I see that both are reconnecting every couple of minutes. They run a PFsense router as well. The Pfsenses on the client side show that they are connected for 8+ hours while on the server side Pfsense shows the real 'connected since' value.The reconnect only takes 1 or 2 seconds, but its quite annoying since RDP is routed over these tunnels.
One client connects using ADSL (fixed IP) while the other connects over 4G (dynamic ip). Both clients have exactly the same issues.
Any hints?
Client log:
Jan 31 01:18:27 openvpn 14069 UDPv4 link remote: [AF_INET]80.82.72.17:1194 Jan 31 01:18:29 openvpn 14069 Peer Connection Initiated with [AF_INET]80.82.72.17:1194 Jan 31 01:18:30 openvpn 14069 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Jan 31 01:18:30 openvpn 14069 Initialization Sequence Completed Jan 31 01:18:31 openvpn 14069 PID_ERR replay-window backtrack occurred [1] [STATIC-0] [0_000000000000000000000000000111122__________] 1517357843:45 1517357843:44 t=1517357911[0] r=[-2,64,15,1,1] sl=[19,45,64,528] Jan 31 01:18:31 openvpn 14069 PID_ERR replay-window backtrack occurred [2] [STATIC-0] [0__00000_0000000000000000000000000000000000000000000000000000000] 1517357843:83 1517357843:81 t=1517357911[0] r=[-2,64,15,2,1] sl=[45,64,64,528] Jan 31 01:18:31 openvpn 14069 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Jan 31 01:18:31 openvpn 14069 MANAGEMENT: CMD 'state 1' Jan 31 01:18:31 openvpn 14069 MANAGEMENT: CMD 'status 2' Jan 31 01:18:31 openvpn 14069 MANAGEMENT: Client disconnected Jan 31 01:18:32 openvpn 14069 PID_ERR replay-window backtrack occurred [3] [STATIC-0] [0___000000000000000000000000000000000000000000000000000000000000] 1517357843:684 1517357843:681 t=1517357912[0] r=[-3,64,15,3,1] sl=[20,64,64,528] Jan 31 01:50:55 openvpn 14069 PID_ERR replay-window backtrack occurred [4] [STATIC-0] [0____00000000000000000000000000000000000000000000000_00000000000] 1517360089:183 1517360089:179 t=1517359855[0] r=[-2,64,15,4,1] sl=[9,64,64,528] Jan 31 02:04:24 openvpn 14069 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Jan 31 02:04:24 openvpn 14069 MANAGEMENT: CMD 'state 1' Jan 31 02:04:24 openvpn 14069 MANAGEMENT: CMD 'status 2' Jan 31 02:04:24 openvpn 14069 MANAGEMENT: Client disconnected Jan 31 02:11:39 openvpn 14069 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock Jan 31 02:11:39 openvpn 14069 MANAGEMENT: CMD 'state 1' Jan 31 02:11:39 openvpn 14069 MANAGEMENT: CMD 'status 2' Jan 31 02:11:39 openvpn 14069 MANAGEMENT: Client disconnectedServer side:
Jan 31 01:41:22 openvpn 99595 UDPv4 link local (bound): [AF_INET]80.82.72.17:1194 Jan 31 01:41:22 openvpn 99595 UDPv4 link remote: [AF_UNSPEC] Jan 31 01:41:22 openvpn 99595 Peer Connection Initiated with [AF_INET]143.179.6.63:8616 Jan 31 01:41:22 openvpn 73548 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jan 31 01:41:22 openvpn 73548 Re-using pre-shared static key Jan 31 01:41:22 openvpn 73548 Preserving previous TUN/TAP instance: ovpns3 Jan 31 01:41:22 openvpn 73548 UDPv4 link local (bound): [AF_INET]80.82.72.17:1562 Jan 31 01:41:22 openvpn 73548 UDPv4 link remote: [AF_UNSPEC] Jan 31 01:41:23 openvpn 99595 Initialization Sequence Completed Jan 31 01:41:25 openvpn 99595 PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000111111111111111111111111] 1517357907:8568 1517357907:8561 t=1517359522[237] r=[234,64,15,7,1] sl=[24,64,64,528] Jan 31 01:41:29 openvpn 73548 Peer Connection Initiated with [AF_INET]85.149.43.135:63558 Jan 31 01:41:29 openvpn 73548 Initialization Sequence Completed Jan 31 01:41:32 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:41:32 openvpn 99595 MANAGEMENT: CMD 'state 1' Jan 31 01:41:32 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:41:32 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:41:32 openvpn 73548 WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6' Jan 31 01:41:59 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:41:59 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:41:59 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:41:59 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:43:02 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:43:02 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:43:03 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:43:03 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:44:05 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:44:05 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:44:06 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:44:06 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:45:08 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:45:09 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:45:09 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:45:09 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:46:11 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:46:12 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:46:12 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:46:12 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:47:14 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:47:15 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:47:15 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:47:15 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:48:18 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:48:18 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:48:18 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:48:18 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:49:21 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:49:21 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:49:21 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:49:21 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:50:47 openvpn 99595 Inactivity timeout (--ping-restart), restarting Jan 31 01:50:47 openvpn 99595 TCP/UDP: Closing socket Jan 31 01:50:47 openvpn 99595 SIGUSR1[soft,ping-restart] received, process restarting Jan 31 01:50:47 openvpn 99595 Restart pause, 5 second(s) Jan 31 01:50:48 openvpn 73548 Inactivity timeout (--ping-restart), restarting Jan 31 01:50:48 openvpn 73548 SIGUSR1[soft,ping-restart] received, process restarting Jan 31 01:49:53 openvpn 99595 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jan 31 01:49:53 openvpn 99595 Re-using pre-shared static key Jan 31 01:49:53 openvpn 99595 Preserving previous TUN/TAP instance: ovpns5 Jan 31 01:49:53 openvpn 99595 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:396 ET:0 EL:3 ] Jan 31 01:49:53 openvpn 99595 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.2 10.10.15.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jan 31 01:49:53 openvpn 99595 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.1 10.10.15.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jan 31 01:49:53 openvpn 99595 Socket Buffers: R=[42080->42080] S=[57344->57344] Jan 31 01:49:53 openvpn 99595 UDPv4 link local (bound): [AF_INET]80.82.72.17:1194 Jan 31 01:49:53 openvpn 99595 UDPv4 link remote: [AF_UNSPEC] Jan 31 01:49:53 openvpn 99595 Peer Connection Initiated with [AF_INET]143.179.6.63:8616 Jan 31 01:49:54 openvpn 99595 Initialization Sequence Completed Jan 31 01:49:54 openvpn 73548 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jan 31 01:49:54 openvpn 73548 Re-using pre-shared static key Jan 31 01:49:54 openvpn 73548 Preserving previous TUN/TAP instance: ovpns3 Jan 31 01:49:54 openvpn 73548 UDPv4 link local (bound): [AF_INET]80.82.72.17:1562 Jan 31 01:49:54 openvpn 73548 UDPv4 link remote: [AF_UNSPEC] Jan 31 01:49:55 openvpn 73548 Peer Connection Initiated with [AF_INET]85.149.43.135:63558 Jan 31 01:49:55 openvpn 73548 Initialization Sequence Completed Jan 31 01:49:55 openvpn 99595 PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000000000000000000000000000] 1517357907:11050 1517357907:11043 t=1517360091[296] r=[294,64,15,7,1] sl=[13,64,64,528] Jan 31 01:49:55 openvpn 99595 PID_ERR replay-window backtrack occurred [8] [STATIC-0] [000000_0_0000000000000000000000000000000000000000000000000000000] 1517357907:11203 1517357907:11195 t=1517360091[296] r=[294,64,15,8,1] sl=[52,64,64,528] Jan 31 01:50:04 openvpn 73548 WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6' Jan 31 01:50:24 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:50:24 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:50:24 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:50:24 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:51:27 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:51:27 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:51:27 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:51:27 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:52:30 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:52:30 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:52:30 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:52:30 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:53:33 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:53:33 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:53:34 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:53:34 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:54:36 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:54:37 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:54:37 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:54:37 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:55:39 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:55:40 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:55:40 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:55:40 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:56:43 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock Jan 31 01:56:43 openvpn 99595 MANAGEMENT: CMD 'status 2' Jan 31 01:56:43 openvpn 99595 MANAGEMENT: CMD 'quit' Jan 31 01:56:43 openvpn 99595 MANAGEMENT: Client disconnected Jan 31 01:58:28 openvpn 73548 Inactivity timeout (--ping-restart), restarting Jan 31 01:58:28 openvpn 73548 SIGUSR1[soft,ping-restart] received, process restarting Jan 31 01:58:28 openvpn 99595 Inactivity timeout (--ping-restart), restarting Jan 31 01:58:28 openvpn 99595 TCP/UDP: Closing socket Jan 31 01:58:28 openvpn 99595 SIGUSR1[soft,ping-restart] received, process restarting Jan 31 01:58:28 openvpn 99595 Restart pause, 5 second(s) Jan 31 01:57:34 openvpn 99595 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jan 31 01:57:34 openvpn 99595 Re-using pre-shared static key Jan 31 01:57:34 openvpn 99595 Preserving previous TUN/TAP instance: ovpns5 Jan 31 01:57:34 openvpn 99595 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:396 ET:0 EL:3 ] Jan 31 01:57:34 openvpn 99595 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.2 10.10.15.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jan 31 01:57:34 openvpn 99595 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.1 10.10.15.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret' Jan 31 01:57:34 openvpn 99595 Socket Buffers: R=[42080->42080] S=[57344->57344] Jan 31 01:57:34 openvpn 99595 UDPv4 link local (bound): [AF_INET]80.82.72.17:1194 Jan 31 01:57:34 openvpn 99595 UDPv4 link remote: [AF_UNSPEC] Jan 31 01:57:34 openvpn 73548 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jan 31 01:57:34 openvpn 73548 Re-using pre-shared static key Jan 31 01:57:34 openvpn 73548 Preserving previous TUN/TAP instance: ovpns3 Jan 31 01:57:34 openvpn 73548 UDPv4 link local (bound): [AF_INET]80.82.72.17:1562 Jan 31 01:57:34 openvpn 73548 UDPv4 link remote: [AF_UNSPEC] Jan 31 01:57:36 openvpn 99595 Peer Connection Initiated with [AF_INET]143.179.6.63:8616 Jan 31 01:57:36 openvpn 99595 Initialization Sequence Completed Jan 31 01:57:37 openvpn 99595 PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000000000000000000000000111] 1517357907:13601 1517357907:13594 t=1517360612[355] r=[354,64,15,7,1] sl=[37,64,64,528] Jan 31 01:57:43 openvpn 73548 Peer Connection Initiated with [AF_INET]85.149.43.135:63558 Jan 31 01:57:43 openvpn 73548 Initialization Sequence CompletedPID 995595 = client with 4G
PID 73547 = client with ADSL -
I also see that the 'Connected since' time is ahead of the PFsense time. The time show correctly for the OpenVPN servers that are setup as 'remote access'
Does anyone have a clue?