OpenVPN clients flip status each 120 seconds



  • I am connecting to two OpenVPN servers with OpenVPN clients of pfSense.

    Connections work, but each 120 seconds they turn from available to unavailable and back. I.e. ping works for 120 seconds, then it stops working and doesn't work for 120 seconds, then it turns working again and so on.

    Each period lasts 120 seconds very precisely.

    Log is following:

    
    [server] Inactivity timeout (--ping-restart), restarting
    SIGUSR1[soft,ping-restart] received, process restarting
    Restart pause, 2 second(s)
    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Socket Buffers: R=[42080->42080] S=[57344->57344]
    UDPv4 link local (bound): [AF_INET]MY.SE.RV.ER
    UDPv4 link remote: [AF_INET]MY.SE.RV.ER:1194
    TLS: Initial packet from [AF_INET]MYSERVER:1194, sid=e1f19b04 500620f5
    VERIFY OK: ...
    VERIFY OK: ...
    Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32\. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
    Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32\. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
    Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    [server] Peer Connection Initiated with [AF_INET]MY.SE.RV.ER:1194
    SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,route-gateway 10.11.0.1,ping 10,ping-restart 120,ifconfig 10.11.0.34 255.255.255.0'
    OPTIONS IMPORT: timers and/or timeouts modified
    OPTIONS IMPORT: --ifconfig/up options modified
    OPTIONS IMPORT: route options modified
    OPTIONS IMPORT: route-related options modified
    Preserving previous TUN/TAP instance: ovpnc5
    Initialization Sequence Completed
    
    

  • LAYER 8 Netgate

    Sounds like what you get when you have two clients connecting to the same server using the same credentials and have duplicate connections disabled.



  • You were probably right!


Log in to reply