Site-to-site VPN reconnects every couple of minutes



  • Hi,

    I`ve a couple of OpenVPN servers running on PFsense. Some of them are of type 'remote access' and two are peer to peer (site-to-site)

    The remote access VPNs work very stable. Site-to-site not. On the server side I see that both are reconnecting every couple of minutes. They run a PFsense router as well. The Pfsenses on the client side show that they are connected for 8+ hours while on the server side Pfsense shows the real 'connected since' value.

    The reconnect only takes 1 or 2 seconds, but its quite annoying since RDP is routed over these tunnels.

    One client connects using ADSL (fixed IP) while the other connects over 4G (dynamic ip). Both clients have exactly the same issues.

    Any hints?

    Client log:

    
    Jan 31 01:18:27	openvpn	14069	UDPv4 link remote: [AF_INET]80.82.72.17:1194
    Jan 31 01:18:29	openvpn	14069	Peer Connection Initiated with [AF_INET]80.82.72.17:1194
    Jan 31 01:18:30	openvpn	14069	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Jan 31 01:18:30	openvpn	14069	Initialization Sequence Completed
    Jan 31 01:18:31	openvpn	14069	PID_ERR replay-window backtrack occurred [1] [STATIC-0] [0_000000000000000000000000000111122__________] 1517357843:45 1517357843:44 t=1517357911[0] r=[-2,64,15,1,1] sl=[19,45,64,528]
    Jan 31 01:18:31	openvpn	14069	PID_ERR replay-window backtrack occurred [2] [STATIC-0] [0__00000_0000000000000000000000000000000000000000000000000000000] 1517357843:83 1517357843:81 t=1517357911[0] r=[-2,64,15,2,1] sl=[45,64,64,528]
    Jan 31 01:18:31	openvpn	14069	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 31 01:18:31	openvpn	14069	MANAGEMENT: CMD 'state 1'
    Jan 31 01:18:31	openvpn	14069	MANAGEMENT: CMD 'status 2'
    Jan 31 01:18:31	openvpn	14069	MANAGEMENT: Client disconnected
    Jan 31 01:18:32	openvpn	14069	PID_ERR replay-window backtrack occurred [3] [STATIC-0] [0___000000000000000000000000000000000000000000000000000000000000] 1517357843:684 1517357843:681 t=1517357912[0] r=[-3,64,15,3,1] sl=[20,64,64,528]
    Jan 31 01:50:55	openvpn	14069	PID_ERR replay-window backtrack occurred [4] [STATIC-0] [0____00000000000000000000000000000000000000000000000_00000000000] 1517360089:183 1517360089:179 t=1517359855[0] r=[-2,64,15,4,1] sl=[9,64,64,528]
    Jan 31 02:04:24	openvpn	14069	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 31 02:04:24	openvpn	14069	MANAGEMENT: CMD 'state 1'
    Jan 31 02:04:24	openvpn	14069	MANAGEMENT: CMD 'status 2'
    Jan 31 02:04:24	openvpn	14069	MANAGEMENT: Client disconnected
    Jan 31 02:11:39	openvpn	14069	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Jan 31 02:11:39	openvpn	14069	MANAGEMENT: CMD 'state 1'
    Jan 31 02:11:39	openvpn	14069	MANAGEMENT: CMD 'status 2'
    Jan 31 02:11:39	openvpn	14069	MANAGEMENT: Client disconnected
    
    

    Server side:

    
    Jan 31 01:41:22	openvpn	99595	UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
    Jan 31 01:41:22	openvpn	99595	UDPv4 link remote: [AF_UNSPEC]
    Jan 31 01:41:22	openvpn	99595	Peer Connection Initiated with [AF_INET]143.179.6.63:8616
    Jan 31 01:41:22	openvpn	73548	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 31 01:41:22	openvpn	73548	Re-using pre-shared static key
    Jan 31 01:41:22	openvpn	73548	Preserving previous TUN/TAP instance: ovpns3
    Jan 31 01:41:22	openvpn	73548	UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
    Jan 31 01:41:22	openvpn	73548	UDPv4 link remote: [AF_UNSPEC]
    Jan 31 01:41:23	openvpn	99595	Initialization Sequence Completed
    Jan 31 01:41:25	openvpn	99595	PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000111111111111111111111111] 1517357907:8568 1517357907:8561 t=1517359522[237] r=[234,64,15,7,1] sl=[24,64,64,528]
    Jan 31 01:41:29	openvpn	73548	Peer Connection Initiated with [AF_INET]85.149.43.135:63558
    Jan 31 01:41:29	openvpn	73548	Initialization Sequence Completed
    Jan 31 01:41:32	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:41:32	openvpn	99595	MANAGEMENT: CMD 'state 1'
    Jan 31 01:41:32	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:41:32	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:41:32	openvpn	73548	WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'
    Jan 31 01:41:59	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:41:59	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:41:59	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:41:59	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:43:02	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:43:02	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:43:03	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:43:03	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:44:05	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:44:05	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:44:06	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:44:06	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:45:08	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:45:09	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:45:09	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:45:09	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:46:11	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:46:12	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:46:12	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:46:12	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:47:14	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:47:15	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:47:15	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:47:15	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:48:18	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:48:18	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:48:18	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:48:18	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:49:21	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:49:21	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:49:21	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:49:21	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:50:47	openvpn	99595	Inactivity timeout (--ping-restart), restarting
    Jan 31 01:50:47	openvpn	99595	TCP/UDP: Closing socket
    Jan 31 01:50:47	openvpn	99595	SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 01:50:47	openvpn	99595	Restart pause, 5 second(s)
    Jan 31 01:50:48	openvpn	73548	Inactivity timeout (--ping-restart), restarting
    Jan 31 01:50:48	openvpn	73548	SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 01:49:53	openvpn	99595	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 31 01:49:53	openvpn	99595	Re-using pre-shared static key
    Jan 31 01:49:53	openvpn	99595	Preserving previous TUN/TAP instance: ovpns5
    Jan 31 01:49:53	openvpn	99595	Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:396 ET:0 EL:3 ]
    Jan 31 01:49:53	openvpn	99595	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.2 10.10.15.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jan 31 01:49:53	openvpn	99595	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.1 10.10.15.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jan 31 01:49:53	openvpn	99595	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Jan 31 01:49:53	openvpn	99595	UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
    Jan 31 01:49:53	openvpn	99595	UDPv4 link remote: [AF_UNSPEC]
    Jan 31 01:49:53	openvpn	99595	Peer Connection Initiated with [AF_INET]143.179.6.63:8616
    Jan 31 01:49:54	openvpn	99595	Initialization Sequence Completed
    Jan 31 01:49:54	openvpn	73548	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 31 01:49:54	openvpn	73548	Re-using pre-shared static key
    Jan 31 01:49:54	openvpn	73548	Preserving previous TUN/TAP instance: ovpns3
    Jan 31 01:49:54	openvpn	73548	UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
    Jan 31 01:49:54	openvpn	73548	UDPv4 link remote: [AF_UNSPEC]
    Jan 31 01:49:55	openvpn	73548	Peer Connection Initiated with [AF_INET]85.149.43.135:63558
    Jan 31 01:49:55	openvpn	73548	Initialization Sequence Completed
    Jan 31 01:49:55	openvpn	99595	PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000000000000000000000000000] 1517357907:11050 1517357907:11043 t=1517360091[296] r=[294,64,15,7,1] sl=[13,64,64,528]
    Jan 31 01:49:55	openvpn	99595	PID_ERR replay-window backtrack occurred [8] [STATIC-0] [000000_0_0000000000000000000000000000000000000000000000000000000] 1517357907:11203 1517357907:11195 t=1517360091[296] r=[294,64,15,8,1] sl=[52,64,64,528]
    Jan 31 01:50:04	openvpn	73548	WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'
    Jan 31 01:50:24	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:50:24	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:50:24	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:50:24	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:51:27	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:51:27	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:51:27	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:51:27	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:52:30	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:52:30	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:52:30	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:52:30	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:53:33	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:53:33	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:53:34	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:53:34	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:54:36	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:54:37	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:54:37	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:54:37	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:55:39	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:55:40	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:55:40	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:55:40	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:56:43	openvpn	99595	MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
    Jan 31 01:56:43	openvpn	99595	MANAGEMENT: CMD 'status 2'
    Jan 31 01:56:43	openvpn	99595	MANAGEMENT: CMD 'quit'
    Jan 31 01:56:43	openvpn	99595	MANAGEMENT: Client disconnected
    Jan 31 01:58:28	openvpn	73548	Inactivity timeout (--ping-restart), restarting
    Jan 31 01:58:28	openvpn	73548	SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 01:58:28	openvpn	99595	Inactivity timeout (--ping-restart), restarting
    Jan 31 01:58:28	openvpn	99595	TCP/UDP: Closing socket
    Jan 31 01:58:28	openvpn	99595	SIGUSR1[soft,ping-restart] received, process restarting
    Jan 31 01:58:28	openvpn	99595	Restart pause, 5 second(s)
    Jan 31 01:57:34	openvpn	99595	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 31 01:57:34	openvpn	99595	Re-using pre-shared static key
    Jan 31 01:57:34	openvpn	99595	Preserving previous TUN/TAP instance: ovpns5
    Jan 31 01:57:34	openvpn	99595	Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:396 ET:0 EL:3 ]
    Jan 31 01:57:34	openvpn	99595	Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.2 10.10.15.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jan 31 01:57:34	openvpn	99595	Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.1 10.10.15.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
    Jan 31 01:57:34	openvpn	99595	Socket Buffers: R=[42080->42080] S=[57344->57344]
    Jan 31 01:57:34	openvpn	99595	UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
    Jan 31 01:57:34	openvpn	99595	UDPv4 link remote: [AF_UNSPEC]
    Jan 31 01:57:34	openvpn	73548	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 31 01:57:34	openvpn	73548	Re-using pre-shared static key
    Jan 31 01:57:34	openvpn	73548	Preserving previous TUN/TAP instance: ovpns3
    Jan 31 01:57:34	openvpn	73548	UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
    Jan 31 01:57:34	openvpn	73548	UDPv4 link remote: [AF_UNSPEC]
    Jan 31 01:57:36	openvpn	99595	Peer Connection Initiated with [AF_INET]143.179.6.63:8616
    Jan 31 01:57:36	openvpn	99595	Initialization Sequence Completed
    Jan 31 01:57:37	openvpn	99595	PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000000000000000000000000111] 1517357907:13601 1517357907:13594 t=1517360612[355] r=[354,64,15,7,1] sl=[37,64,64,528]
    Jan 31 01:57:43	openvpn	73548	Peer Connection Initiated with [AF_INET]85.149.43.135:63558
    Jan 31 01:57:43	openvpn	73548	Initialization Sequence Completed
    
    

    PID 995595 = client with 4G
    PID 73547 = client with ADSL



  • I also see that the 'Connected since' time is ahead of the PFsense time. The time show correctly for the OpenVPN servers that are setup as 'remote access'

    Does anyone have a clue?