OpenVPN with 2 clients results in disconnect for both
-
Hi,
I have a strange problem which I cannot sort out.
My OpenVPN server on pfSense is running fine when I only connect a single client. As soon as a second client is connected, none of them can get traffic through anymore. the connection to the OpenVPN server nevertheless is kept up (at least that's what the gui says, no ping anymore).For each device I created a dedicated user in the pfSense user management with their own certificate.
I use the OpenVPN client export utility to get the config for 1 windows client and 1 android client. -
Did you specify a CSO for each User?
Any special in the OpenVPN server log when the second User connects?-Rico
-
No, there's no CSO defined.
Actually to be more precise: I don't get an active disconnect, but as soon as I connect with one device, the network adapter of the other seems to be disabled/freeze/stuck. Especially on my windows PC with an OpenVPN-Client, it takes 1-2 minutes for the virtual adapter to perform the "disconnect" /unfreeze.What I see now in the logs is a Authenticate/Decrypt packet error which I have no clue where it comes from
Here are the logs:
Feb 27 17:00:57 openvpn 27800 MY_OpenVPN/xx.xxx.225.201:61703 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled) Feb 27 17:00:56 openvpn user 'MY_OpenVPN' authenticated Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 [MY_OpenVPN] Peer Connection Initiated with [AF_INET]xx.xxx.225.201:61703 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_GUI_VER=OpenVPN_GUI_11 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_TCPNL=1 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_COMP_STUBv2=1 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_COMP_STUB=1 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_LZO=1 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_LZ4v2=1 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_LZ4=1 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_NCP=2 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_PROTO=2 Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_PLAT=win Feb 27 17:00:56 openvpn 27800 xx.yyy.225.201:61703 peer info: IV_VER=2.4.7 Feb 27 17:00:18 openvpn 27800 MY_OpenVPN/xx.xxx.225.201:61703 [MY_OpenVPN] Inactivity timeout (--ping-restart), restarting Feb 27 17:00:09 openvpn 58140 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926101 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 27 17:00:09 openvpn 58140 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926100 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 27 17:00:09 openvpn 58140 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926099 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 27 17:00:09 openvpn 58140 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70926098 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Feb 27 16:57:48 openvpn 27800 MYMobile_OpenVPN/aa.bb.85.83:39551 MULTI_sva: pool returned IPv4=10.0.8.3, IPv6=(Not enabled) Feb 27 16:57:47 openvpn user 'MYMobile_OpenVPN' authenticated Feb 27 16:57:47 openvpn 27800 aa.bb.85.83:39551 [MYMobile_OpenVPN] Peer Connection Initiated with [AF_INET]aa.bb.85.83:39551 Feb 27 16:57:47 openvpn 27800 aa.bb.85.83:39551 peer info: IV_PROTO=2 Feb 27 16:57:47 openvpn 27800 aa.bb.85.83:39551 peer info: IV_TCPNL=1 Feb 27 16:57:47 openvpn 27800 aa.bb.85.83:39551 peer info: IV_NCP=2 Feb 27 16:57:47 openvpn 27800 aa.bb.85.83:39551 peer info: IV_PLAT=android Feb 27 16:57:47 openvpn 27800 aa.bb.85.83:39551 peer info: IV_VER=3.git::728733ae:Release Feb 27 16:57:47 openvpn 27800 aa.bb.85.83:39551 peer info: IV_GUI_VER=OC30Android
-
Authenticate/Decrypt packet error: bad packet ID (may be a replay)
can be caused by majority of problems. Could be a general network connectivity problem, bad time (check time settings for your server + clients, they must be sync), wrong MTU size, and so on.
I would not expect the Authenticate/Decrypt packet error caused by a second client connecting. Are you sure your clients each have a unique Cert?
Do you see this every time after the second client connecting? No matter which one connects first or second?
With only one client connected either Win or Android you never see Authenticate/Decrypt packet error in the Log?-Rico
-
-
@PedroBelliato , no I still have the issue.
But to be honest, I currently have other topics I'm focusing on..so I did not continue investigating.
Nevertheless, my next steps would be to completely setup the open on server on the pfsense from scratch.Did you did a clean setup already?
-
blank is 1 connection
set it to n+1 eg --> 2 users results in 3safed me some troubels
-
@noplan said in OpenVPN with 2 clients results in disconnect for both:
blank is 1 connection
set it to n+1 eg --> 2 users results in 3safed me some troubels
what I found out quickly that only my Windows clients gets disconnected while the Android client still works. very strange. Maybe I need to reinstall my Windows OpenVPN client. But I currently don't have access to this machine.