OpenVPN connection will not reconnect until pfsense reboot
-
I followed the directions from the sticky "How to create an OpenVPN client to StrongVPN" and have successfully set up two separate OpenVPN clients to two different StrongVPN accounts, and routed only certain clients on my LAN through each VPN using rules in the Firewall under LAN. Everything works fine except if either VPN connection goes down (every few days or so) pfsense does not reconnect to it and the connection stays down until I reboot. Only a reboot will reconnect to StrongVPN once there is a disconnect. If I try and stop and restart the OpenVPN client service, not only does it not reconnect but the other OpenVPN clients also disconnect and will not reconnect until a reboot. I'm not sure if this is a bug in pfsense or if I have something wrong with my configuration. Any help would be greatly appreciated. I'm on the nanobsd (4g) 2.0-RC1 (i386) build from Sat Feb 26 (1633). I have tried a more recent build (March 9, 2011 - 1850) with the same results. My setup and logs are as follows:
Firewall: NAT: Outbound looks like this: (set to Manual Outbound NAT rule generation)
WAN 192.168.78.0/24 * * 500 * * YES Auto created rule for ISAKMP - LAN to WAN
WAN 192.168.78.0/24 * * * * * NO Auto created rule for LAN to WAN
WAN 192.168.80.240/28 * * * * * NO Auto created rule for PPTP server
WAN 192.168.79.0/24 * * 500 * * YES Auto created rule for ISAKMP - DMZ to WAN
WAN 192.168.79.0/24 * * * * * NO Auto created rule for DMZ to WAN
WAN 192.168.80.240/28 * * * * * NO Auto created rule for PPTP server
STRONGVPNUSA 192.168.78.0/24 * * * * * NO LAN -> StrongVPNUSA
STRONGVPNHK 192.168.78.0/24 * * * * * NO LAN -> StrongVPNHKStatus: OpenVPN looks like this after one of the clients disconnects:
StongVPNUSA TCP:50211 up Fri Apr 8 2:37:36 2011 10.xx.xx.78 207.xx.xx.12
StrongVPNHK TCP:50160 downStatus: Gateways looks like this after one of the clients disconnects:
STRONGVPNUSA 10.xx.xx.78 8.8.8.8 Warning, Latency Interface STRONGVPNUSA Dynamic Gateway
STRONGVPNHK 10.xx.xx.110 8.8.4.4 Offline Interface STRONGVPNHK Dynamic Gateway
WAN 119.xx.xx.1 119.xx.xx.1 Online Interface WAN Dynamic GatewayGateways looks like this:
STRONGVPNUSA STRONGVPNUSA 10.xx.xx.78 8.8.8.8 Interface STRONGVPNUSA Dynamic Gateway
STRONGVPNHK STRONGVPNHK 10.xx.xx.110 8.8.4.4 Interface STRONGVPNHK Dynamic Gateway
WAN (default) WAN 119.xx.xx.1 119.xx.xx.1 Interface WAN Dynamic GatewaySystem Logs : OpenVPN looks like this after a disconnect:
Apr 9 20:53:22 openvpn[59008]: NOTE: –mute triggered...
Apr 9 20:53:17 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
Apr 9 20:53:12 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation timed out
Apr 9 20:52:57 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
Apr 9 20:52:52 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
Apr 9 20:52:47 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
Apr 9 20:52:42 openvpn[59008]: MANAGEMENT: Client disconnected
Apr 9 20:52:42 openvpn[59008]: MANAGEMENT: CMD 'state 1'
Apr 9 20:52:42 openvpn[59008]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
Apr 9 20:52:42 openvpn[59008]: 110 variation(s) on previous 5 message(s) suppressed by –mute
Apr 9 20:52:42 openvpn[6373]: MANAGEMENT: Client disconnected
Apr 9 20:52:42 openvpn[6373]: MANAGEMENT: CMD 'status 2'
Apr 9 20:52:42 openvpn[6373]: MANAGEMENT: CMD 'state 1'
Apr 9 20:52:42 openvpn[6373]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Apr 9 20:52:42 openvpn[6373]: 3 variation(s) on previous 5 message(s) suppressed by –mute
Apr 9 20:41:04 openvpn[59008]: NOTE: –mute triggered...
Apr 9 20:40:59 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
Apr 9 20:40:55 openvpn[6373]: NOTE: –mute triggered...
Apr 9 20:40:55 openvpn[6373]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 9 20:40:55 openvpn[6373]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 9 20:40:54 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
Apr 9 20:40:52 openvpn[6373]: VERIFY OK: depth=0, /C=US/ST=NA/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
Apr 9 20:40:52 openvpn[6373]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
Apr 9 20:40:49 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
Apr 9 20:40:46 openvpn[6373]: TLS: tls_process: killed expiring key
Apr 9 20:40:44 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation timed out
Apr 9 20:40:28 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation not permitted
Apr 9 20:40:24 openvpn[59008]: MANAGEMENT: Client disconnected
Apr 9 20:40:24 openvpn[59008]: MANAGEMENT: CMD 'state 1'
Apr 9 20:40:24 openvpn[59008]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
Apr 9 20:40:24 openvpn[59008]: 1565 variation(s) on previous 5 message(s) suppressed by –mute
Apr 9 20:40:24 openvpn[6373]: MANAGEMENT: Client disconnected
Apr 9 20:40:24 openvpn[6373]: MANAGEMENT: CMD 'status 2'
Apr 9 20:40:24 openvpn[6373]: MANAGEMENT: CMD 'state 1'
Apr 9 20:40:24 openvpn[6373]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Apr 9 20:40:24 openvpn[6373]: 257 variation(s) on previous 5 message(s) suppressed by –mute
Apr 9 17:53:36 openvpn[59008]: NOTE: –mute triggered...
Apr 9 17:53:31 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Operation timed out
Apr 9 17:53:16 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Address already in use
Apr 9 17:53:11 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Address already in use
Apr 9 17:53:06 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Address already in use
Apr 9 17:53:01 openvpn[59008]: TCP: connect to [AF_INET]119.xx.xx.143:443 failed, will try again in 5 seconds: Address already in use
Apr 9 17:53:01 openvpn[59008]: Attempting to establish TCP connection with [AF_INET]119.xx.xx.143:443 [nonblock]
Apr 9 17:53:01 openvpn[59008]: Expected Remote Options hash (VER=V4): 'c413e92e'
Apr 9 17:53:01 openvpn[59008]: Local Options hash (VER=V4): 'd8421bb0'
Apr 9 17:53:01 openvpn[59008]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Apr 9 17:53:01 openvpn[59008]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Apr 9 17:53:01 openvpn[59008]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Apr 9 17:53:01 openvpn[59008]: Socket Buffers: R=[65228->65536] S=[65228->65536]
Apr 9 17:53:01 openvpn[59008]: Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
Apr 9 17:53:01 openvpn[59008]: Re-using SSL/TLS context
Apr 9 17:53:01 openvpn[59008]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Apr 9 17:53:01 openvpn[59008]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 9 17:52:56 openvpn[59008]: Restart pause, 5 second(s)
Apr 9 17:52:56 openvpn[59008]: SIGUSR1[soft,ping-restart] received, process restarting
Apr 9 17:52:56 openvpn[59008]: TCP/UDP: Closing socket
Apr 9 17:52:56 openvpn[59008]: [ovpn013] Inactivity timeout (–ping-restart), restarting
Apr 9 17:52:56 openvpn[59008]: 243 variation(s) on previous 5 message(s) suppressed by –mute
Apr 8 13:38:28 openvpn[6373]: NOTE: –mute triggered...
Apr 8 13:38:28 openvpn[6373]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 8 13:38:28 openvpn[6373]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 8 13:38:25 openvpn[6373]: VERIFY OK: depth=0, /C=US/ST=NA/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
Apr 8 13:38:25 openvpn[6373]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
Apr 8 13:38:18 openvpn[6373]: TLS: tls_process: killed expiring key
Apr 8 13:28:17 openvpn[59008]: NOTE: –mute triggered...
Apr 8 13:28:17 openvpn[59008]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 8 13:28:15 openvpn[59008]: VERIFY OK: depth=0, /C=US/ST=NA/O=oakweb.com/CN=ovpn013/emailAddress=techies@reliablehosting.com
Apr 8 13:28:15 openvpn[59008]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=oakweb.com/CN=ovpn013/emailAddress=techies@reliablehosting.com
Apr 8 13:28:15 openvpn[59008]: TLS: soft reset sec=0 bytes=1585391391/0 pkts=2081654/0
Apr 8 13:28:14 openvpn[59008]: TLS: tls_process: killed expiring key
Apr 8 13:25:18 openvpn[59008]: MANAGEMENT: Client disconnected
Apr 8 13:25:18 openvpn[59008]: MANAGEMENT: CMD 'status 2'
Apr 8 13:25:18 openvpn[59008]: MANAGEMENT: CMD 'state 1'
Apr 8 13:25:18 openvpn[59008]: MANAGEMENT: Client connected from /var/etc/openvpn/client3.sock
Apr 8 13:25:18 openvpn[59008]: 69 variation(s) on previous 5 message(s) suppressed by –mute
Apr 8 13:25:18 openvpn[6373]: MANAGEMENT: Client disconnected
Apr 8 13:25:18 openvpn[6373]: MANAGEMENT: CMD 'status 2'
Apr 8 13:25:18 openvpn[6373]: MANAGEMENT: CMD 'state 1'
Apr 8 13:25:18 openvpn[6373]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Apr 8 13:25:18 openvpn[6373]: 80 variation(s) on previous 5 message(s) suppressed by –mute
Apr 8 04:28:06 openvpn[59008]: NOTE: –mute triggered...
Apr 8 04:28:06 openvpn[59008]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 8 04:28:06 openvpn[59008]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 8 04:28:06 openvpn[59008]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 8 04:28:06 openvpn[59008]: VERIFY OK: depth=0, /C=US/ST=NA/O=oakweb.com/CN=ovpn013/emailAddress=techies@reliablehosting.com
Apr 8 04:28:06 openvpn[59008]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=oakweb.com/CN=ovpn013/emailAddress=techies@reliablehosting.com
Apr 8 03:37:40 openvpn[6373]: NOTE: –mute triggered...
Apr 8 03:37:40 openvpn[6373]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 8 03:37:40 openvpn[6373]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 8 03:37:36 openvpn[6373]: VERIFY OK: depth=0, /C=US/ST=NA/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
Apr 8 03:37:36 openvpn[6373]: VERIFY OK: depth=1, /C=US/ST=NA/L=San-Francisco/O=reliablehosting.com/CN=ovpn137/emailAddress=techies@reliablehosting.com
Apr 8 03:37:34 openvpn[6373]: TLS: soft reset sec=0 bytes=767246/0 pkts=7534/0
Apr 8 03:28:08 openvpn[59008]: Initialization Sequence Completed
Apr 8 03:28:08 openvpn[59008]: Preserving previous TUN/TAP instance: ovpnc3
Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: –ip-win32 and/or --dhcp-option options modified
Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: route-related options modified
Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: route options modified
Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: –ifconfig/up options modified
Apr 8 03:28:08 openvpn[59008]: NOTE: setsockopt TCP_NODELAY=1 failed (No kernel support)
Apr 8 03:28:08 openvpn[59008]: OPTIONS IMPORT: –socket-flags option modified