OpenVPN connection will not reconnect until pfsense reboot



  • I followed the directions from the sticky "How to create an OpenVPN client to StrongVPN" and have successfully set up two separate OpenVPN clients to two different StrongVPN accounts, and routed only certain clients on my LAN through each VPN using rules in the Firewall under LAN.  Everything works fine except if either VPN connection goes down (every few days or so) pfsense does not reconnect to it and the connection stays down until I reboot.  Only a reboot will reconnect to StrongVPN once there is a disconnect.  If I try and stop and restart the OpenVPN client service, not only does it not reconnect but the other OpenVPN clients also disconnect and will not reconnect until a reboot.  I'm not sure if this is a bug in pfsense or if I have something wrong with my configuration.  Any help would be greatly appreciated.  I'm on the nanobsd (4g) 2.0-RC1 (i386) build from Sat Feb 26 (1633).  I have tried a more recent build (March 9, 2011 - 1850) with the same results.  My setup and logs are as follows:

    Firewall: NAT: Outbound looks like this: (set to Manual Outbound NAT rule generation)
    WAN  192.168.78.0/24    * *  500 * * YES  Auto created rule for ISAKMP - LAN to WAN 
    WAN  192.168.78.0/24    * *  *    * * NO    Auto created rule for LAN to WAN 
    WAN  192.168.80.240/28  * *  *    * * NO    Auto created rule for PPTP server 
    WAN  192.168.79.0/24    * *  500 * * YES  Auto created rule for ISAKMP - DMZ to WAN 
    WAN  192.168.79.0/24    * *  *    * * NO    Auto created rule for DMZ to WAN 
    WAN  192.168.80.240/28  * *  *    * * NO    Auto created rule for PPTP server 
    STRONGVPNUSA  192.168.78.0/24    * *  *    * * NO    LAN -> StrongVPNUSA 
    STRONGVPNHK  192.168.78.0/24    * *  *    * * NO    LAN -> StrongVPNHK

    Status: OpenVPN looks like this after one of the clients disconnects:
    StongVPNUSA TCP:50211 up Fri Apr 8 2:37:36 2011 10.xx.xx.78 207.xx.xx.12
    StrongVPNHK TCP:50160 down

    Status: Gateways looks like this after one of the clients disconnects:
    STRONGVPNUSA 10.xx.xx.78 8.8.8.8 Warning, Latency     Interface STRONGVPNUSA Dynamic Gateway
    STRONGVPNHK 10.xx.xx.110 8.8.4.4 Offline     Interface STRONGVPNHK Dynamic Gateway
    WAN 119.xx.xx.1 119.xx.xx.1 Online     Interface WAN Dynamic Gateway

    Gateways looks like this:
    STRONGVPNUSA STRONGVPNUSA 10.xx.xx.78 8.8.8.8 Interface STRONGVPNUSA Dynamic Gateway 
    STRONGVPNHK STRONGVPNHK 10.xx.xx.110 8.8.4.4 Interface STRONGVPNHK Dynamic Gateway 
    WAN (default) WAN 119.xx.xx.1 119.xx.xx.1 Interface WAN Dynamic Gateway

    System Logs : OpenVPN looks like this after a disconnect:
    Apr 9 20:53:22 openvpn[59008]: NOTE: –mute triggered...
    Apr 9 20:53:17 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
    Apr 9 20:53:12 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation timed out
    Apr 9 20:52:57 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
    Apr 9 20:52:52 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
    Apr 9 20:52:47 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
    Apr 9 20:52:42 openvpn[59008]: MANAGEMENT: Client disconnected
    Apr 9 20:52:42 openvpn[59008]: MANAGEMENT: CMD 'state 1'
    Apr 9 20:52:42 openvpn[59008]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
    Apr 9 20:52:42 openvpn[59008]: 110 variation(s) on previous 5 message(s) suppressed by –mute
    Apr 9 20:52:42 openvpn[6373]: MANAGEMENT: Client disconnected
    Apr 9 20:52:42 openvpn[6373]: MANAGEMENT: CMD 'status 2'
    Apr 9 20:52:42 openvpn[6373]: MANAGEMENT: CMD 'state 1'
    Apr 9 20:52:42 openvpn[6373]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Apr 9 20:52:42 openvpn[6373]: 3 variation(s) on previous 5 message(s) suppressed by –mute
    Apr 9 20:41:04 openvpn[59008]: NOTE: –mute triggered...
    Apr 9 20:40:59 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
    Apr 9 20:40:55 openvpn[6373]: NOTE: –mute triggered...
    Apr 9 20:40:55 openvpn[6373]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 9 20:40:55 openvpn[6373]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 9 20:40:54 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
    Apr 9 20:40:52 openvpn[6373]: VERIFY OK: depth=0, /C=US/ST=NA/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
    Apr 9 20:40:52 openvpn[6373]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
    Apr 9 20:40:49 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
    Apr 9 20:40:46 openvpn[6373]: TLS: tls_process: killed expiring key
    Apr 9 20:40:44 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation timed out
    Apr 9 20:40:28 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
    Apr 9 20:40:24 openvpn[59008]: MANAGEMENT: Client disconnected
    Apr 9 20:40:24 openvpn[59008]: MANAGEMENT: CMD 'state 1'
    Apr 9 20:40:24 openvpn[59008]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
    Apr 9 20:40:24 openvpn[59008]: 1565 variation(s) on previous 5 message(s) suppressed by –mute
    Apr 9 20:40:24 openvpn[6373]: MANAGEMENT: Client disconnected
    Apr 9 20:40:24 openvpn[6373]: MANAGEMENT: CMD 'status 2'
    Apr 9 20:40:24 openvpn[6373]: MANAGEMENT: CMD 'state 1'
    Apr 9 20:40:24 openvpn[6373]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Apr 9 20:40:24 openvpn[6373]: 257 variation(s) on previous 5 message(s) suppressed by –mute
    Apr 9 17:53:36 openvpn[59008]: NOTE: –mute triggered...
    Apr 9 17:53:31 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation timed out
    Apr 9 17:53:16 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Address already in use
    Apr 9 17:53:11 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Address already in use
    Apr 9 17:53:06 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Address already in use
    Apr 9 17:53:01 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Address already in use
    Apr 9 17:53:01 openvpn[59008]: Attempting to establish TCP connection with [AF_INET]119.xx.xx.143:443 [nonblock]
    Apr 9 17:53:01 openvpn[59008]: Expected Remote Options hash (VER=V4): 'c413e92e'
    Apr 9 17:53:01 openvpn[59008]: Local Options hash (VER=V4): 'd8421bb0'
    Apr 9 17:53:01 openvpn[59008]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Apr 9 17:53:01 openvpn[59008]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Apr 9 17:53:01 openvpn[59008]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
    Apr 9 17:53:01 openvpn[59008]: Socket Buffers: R=[65228->65536] S=[65228->65536]
    Apr 9 17:53:01 openvpn[59008]: Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
    Apr 9 17:53:01 openvpn[59008]: Re-using SSL/TLS context
    Apr 9 17:53:01 openvpn[59008]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 9 17:53:01 openvpn[59008]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Apr 9 17:52:56 openvpn[59008]: Restart pause, 5 second(s)
    Apr 9 17:52:56 openvpn[59008]: SIGUSR1[soft,ping-restart] received, process restarting
    Apr 9 17:52:56 openvpn[59008]: TCP/UDP: Closing socket
    Apr 9 17:52:56 openvpn[59008]: [ovpn013] Inactivity timeout (–ping-restart), restarting
    Apr 9 17:52:56 openvpn[59008]: 243 variation(s) on previous 5 message(s) suppressed by –mute
    Apr 8 13:38:28 openvpn[6373]: NOTE: –mute triggered...
    Apr 8 13:38:28 openvpn[6373]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 8 13:38:28 openvpn[6373]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 8 13:38:25 openvpn[6373]: VERIFY OK: depth=0, /C=US/ST=NA/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
    Apr 8 13:38:25 openvpn[6373]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
    Apr 8 13:38:18 openvpn[6373]: TLS: tls_process: killed expiring key
    Apr 8 13:28:17 openvpn[59008]: NOTE: –mute triggered...
    Apr 8 13:28:17 openvpn[59008]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 8 13:28:15 openvpn[59008]: VERIFY OK: depth=0, /C=US/ST=NA/O=oakweb.com/CN=ovpn013/emailAddress=techies@reliablehosting.com
    Apr 8 13:28:15 openvpn[59008]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=oakweb.com/CN=ovpn013/emailAddress=techies@reliablehosting.com
    Apr 8 13:28:15 openvpn[59008]: TLS: soft reset sec=0 bytes=1585391391/0 pkts=2081654/0
    Apr 8 13:28:14 openvpn[59008]: TLS: tls_process: killed expiring key
    Apr 8 13:25:18 openvpn[59008]: MANAGEMENT: Client disconnected
    Apr 8 13:25:18 openvpn[59008]: MANAGEMENT: CMD 'status 2'
    Apr 8 13:25:18 openvpn[59008]: MANAGEMENT: CMD 'state 1'
    Apr 8 13:25:18 openvpn[59008]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
    Apr 8 13:25:18 openvpn[59008]: 69 variation(s) on previous 5 message(s) suppressed by –mute
    Apr 8 13:25:18 openvpn[6373]: MANAGEMENT: Client disconnected
    Apr 8 13:25:18 openvpn[6373]: MANAGEMENT: CMD 'status 2'
    Apr 8 13:25:18 openvpn[6373]: MANAGEMENT: CMD 'state 1'
    Apr 8 13:25:18 openvpn[6373]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Apr 8 13:25:18 openvpn[6373]: 80 variation(s) on previous 5 message(s) suppressed by –mute
    Apr 8 04:28:06 openvpn[59008]: NOTE: –mute triggered...
    Apr 8 04:28:06 openvpn[59008]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 8 04:28:06 openvpn[59008]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 8 04:28:06 openvpn[59008]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 8 04:28:06 openvpn[59008]: VERIFY OK: depth=0, /C=US/ST=NA/O=oakweb.com/CN=ovpn013/emailAddress=techies@reliablehosting.com
    Apr 8 04:28:06 openvpn[59008]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=oakweb.com/CN=ovpn013/emailAddress=techies@reliablehosting.com
    Apr 8 03:37:40 openvpn[6373]: NOTE: –mute triggered...
    Apr 8 03:37:40 openvpn[6373]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 8 03:37:40 openvpn[6373]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 8 03:37:36 openvpn[6373]: VERIFY OK: depth=0, /C=US/ST=NA/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
    Apr 8 03:37:36 openvpn[6373]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
    Apr 8 03:37:34 openvpn[6373]: TLS: soft reset sec=0 bytes=767246/0 pkts=7534/0
    Apr 8 03:28:08 openvpn[59008]: Initialization Sequence Completed
    Apr 8 03:28:08 openvpn[59008]: Preserving previous TUN/TAP instance: ovpnc3
    Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
    Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: route-related options modified
    Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: route options modified
    Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: –ifconfig/up options modified
    Apr 8 03:28:08 openvpn[59008]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
    Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: –socket-flags option modified


Log in to reply