TLS Error: Unroutable control packet received from [AF_INET] with UDP and Mikrotik
-
Hello,
I have upgraded Pfsense from 2.6.0, to Pfsense 2.7.2
The new OpenVPN version is 2.6.8
I am having a bizarre issue - getting in the logs .TLS Error: Unroutable control packet received from [AF_INET]
Cliens connect but stay as UNDEF. The issues happens when the following are true:
- Proto is UDP
- I have killed restarted the daemon(client does not know)
- Clients are RouterOS 7.X(7.14,7.15,7.16), although with OpenWRT I saw it for a few seconds and it fixed itself.
Playing around with ping interval and ping timeout solves it to some extent, but I am afraid to test in large scale as it might break connection for some remote branches. I believe people here talk about the same thing:
https://forum.mikrotik.com/viewtopic.php?t=197500
With these ping settings (not tested on large scale):
Inactive: 0
Ping method: keepalive
Interval: 5
Timeout: 10
Exit Notify : Reconnect to this serverI manage to reconnect the branches in 2-3 minutes. With other settings I was going in endless reconnect loop.
My whole feeling is that Mikrotik does not understand that old connection is gone – it stay “connected”, while connection is gone.
Switching from UDP to TCP makes the whole issue go away – reconnect is done in a second.
Please give me some hints:
A) Maybe issue was there before, just new Pfsense is more verbose ?
B) Endless loop came from upgrade. It will not happen again ?
C) I should simply switch TCP
I should play with timeouts. They were problematic before, but in Pfsense 2.6 setting “Inactive: 0” worked well
D) Any other ideas and hints
Thank you -
@peterzy I have same issue, did you find a solution?
Where and how did you configure those ping settings?Thank you!
-
@nmenoni The only truly working solution is switch to TCP. Nothing really worked well on UDP. I am running it on TCP for 5 months, it is very stable, but needs to be TCP. :-)
-
@peterzy thank you for your reply.
In my case all the Mikrotik client devices are in the rural area, so maybe I can make the current VPN to work using UDP (this is the current config) and once I get access to the device I can change the config to TCP. If the device could get connected for a couple of hours for me that's enough.
In this regards, could you please share the details about changing the PING settings so maybe I can get them connected temporaly.Thank you!