OpenVPN freezes temporarily, when there is a new connection, few seconds with pfSense 21.02.2-RELEASE
-
We have upgraded from 2.4.5 to 21.02.2-RELEASE on an SG-4860 and since the upgrade the OpenVPN connections freeze momentarily. There is no packet loss. Although there are 2 clients which tries to connect every few seconds and somehow it can't complete connection. That is 2 out of 130 which are already connected.
There is no congestion and if I create another OpenVPN server exactly with same settings (except different tunnel network) everything works just fine.
This is through the tunnel:
64 bytes from 192.168.220.230: icmp_req=1 ttl=63 time=2071 ms 64 bytes from 192.168.220.230: icmp_req=2 ttl=63 time=1077 ms 64 bytes from 192.168.220.230: icmp_req=3 ttl=63 time=83.2 ms 64 bytes from 192.168.220.230: icmp_req=4 ttl=63 time=15.2 ms 64 bytes from 192.168.220.230: icmp_req=5 ttl=63 time=15.0 ms 64 bytes from 192.168.220.230: icmp_req=6 ttl=63 time=2219 ms 64 bytes from 192.168.220.230: icmp_req=7 ttl=63 time=1225 ms 64 bytes from 192.168.220.230: icmp_req=8 ttl=63 time=231 ms 64 bytes from 192.168.220.230: icmp_req=9 ttl=63 time=18.4 ms 64 bytes from 192.168.220.230: icmp_req=10 ttl=63 time=2595 ms 64 bytes from 192.168.220.230: icmp_req=11 ttl=63 time=1610 ms 64 bytes from 192.168.220.230: icmp_req=12 ttl=63 time=625 ms 64 bytes from 192.168.220.230: icmp_req=13 ttl=63 time=80.6 ms 64 bytes from 192.168.220.230: icmp_req=14 ttl=63 time=15.0 msAlso the OpenVPN dashboard and stats does not show the connected clients. It sometimes shows them but usually shows 0 clients connected.
Is there anybody else having similar symptoms? It is almost like when there is a new connection, all the other connections hang momentarily.
Thanks!
-
Actually we made some progress debugging the issue. Setting the "Certificate Depth" to "Do Not Check" seems to be fixing the issue. I am not sure why on 2.4 this was not a problem.
It seems that this setting is causing OpenVPN to run some PHP script and possibly blocking the process during. It seems to add a line like:
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'openvpn.domain.fi+' 1"We have around 200 certificates in the device. It may be contributing to the delay.
So now the question is, if this is a known issue?
-
I'm not an OpenVPN guru, but from my understanding there was a significant software version bump in OpenVPN with the release of pfSense-2.5.0 and up. I believe this was mainly due to the change from FreeBSD-11 to FreeBSD-12 in the underlying OS.
So it would not be unexpected for some things to have changed in the way OpenVPN behaves. And there very well might be a bug. You can check the pfSense Redmine Bug Reporting site here: https://redmine.pfsense.org/projects/pfsense. If you don't see an existing bug report that matches your problem, you can submit one.
-
@bmeeks Thanks for the response. I think I will wait and try again in next version. I opened a support ticket already so they know about this issue. I don't think there is an existing ticket yet though. But I am not sure if it can be reproduced with the information I can provide so...
-
I now applied the patch from:
https://redmine.pfsense.org/issues/11829
and it seemed to help.
