OpenVPN clients flip status each 120 seconds
I am connecting to two OpenVPN servers with OpenVPN clients of pfSense.
Connections work, but each 120 seconds they turn from available to unavailable and back. I.e. ping works for 120 seconds, then it stops working and doesn't work for 120 seconds, then it turns working again and so on.
Each period lasts 120 seconds very precisely.
Log is following:
[server] Inactivity timeout (--ping-restart), restarting SIGUSR1[soft,ping-restart] received, process restarting Restart pause, 2 second(s) WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Socket Buffers: R=[42080->42080] S=[57344->57344] UDPv4 link local (bound): [AF_INET]MY.SE.RV.ER UDPv4 link remote: [AF_INET]MY.SE.RV.ER:1194 TLS: Initial packet from [AF_INET]MYSERVER:1194, sid=e1f19b04 500620f5 VERIFY OK: ... VERIFY OK: ... Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32\. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32\. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA [server] Peer Connection Initiated with [AF_INET]MY.SE.RV.ER:1194 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,route-gateway 10.11.0.1,ping 10,ping-restart 120,ifconfig 10.11.0.34 255.255.255.0' OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: route options modified OPTIONS IMPORT: route-related options modified Preserving previous TUN/TAP instance: ovpnc5 Initialization Sequence Completed
Sounds like what you get when you have two clients connecting to the same server using the same credentials and have duplicate connections disabled.
You were probably right!