Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Site-to-Site Client says down but is working

    2.1 Snapshot Feedback and Problems - RETIRED
    1
    1
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil.davis
      last edited by

      This seems similar to http://forum.pfsense.org/index.php/topic,59393.0.html - so I thought it was worth logging this. I suspect it is a "feature" of OpenVPN rather than pfSense.
      2.1-BETA1 (i386)
      built on Sun Feb 24 15:44:36 EST 2013
      Peer-to-Peer SSL/TLS OpenVPN link.
      At the client end, there is no link status available (1st screen shot).
      At the server end, it says there is a connection (2nd screen shot).
      Status->Services shows everything running (3rd screenshot).
      The client OpenVPN process is running (client2 has the issue, client3 is to another site and the status is working):

      [2.1-BETA1][admin@xxx]/root(1): ps ax | grep openvpn
      42529  ??  Ss     1:43.36 /usr/local/sbin/openvpn --config /var/etc/openvpn/client3.conf
      42567  ??  Ss     1:08.49 /usr/local/sbin/openvpn --config /var/etc/openvpn/client2.conf
      96530   0  RV     0:00.00 grep openvpn (tcsh)
      
      

      The OpenVPN logs for process 42567 (with public IPs neutralised) are:

      Feb 25 18:29:00 	openvpn[42567]: UDPv4 link local (bound): [AF_INET]11.22.33.44
      Feb 25 18:29:00 	openvpn[42567]: UDPv4 link remote: [AF_INET]55.66.77.88:5555
      Feb 25 18:29:03 	openvpn[42567]: [INFN-IBP-S2S-Server] Peer Connection Initiated with [AF_INET]55.66.77.88:5555
      Feb 25 18:29:06 	openvpn[42567]: TUN/TAP device ovpnc2 exists previously, keep at program end
      Feb 25 18:29:06 	openvpn[42567]: TUN/TAP device /dev/tun2 opened
      Feb 25 18:29:06 	openvpn[42567]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
      Feb 25 18:29:06 	openvpn[42567]: /sbin/ifconfig ovpnc2 10.49.252.14 10.49.252.13 mtu 1500 netmask 255.255.255.255 up
      Feb 25 18:29:06 	openvpn[42567]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1557 10.49.252.14 10.49.252.13 init
      Feb 25 18:29:06 	openvpn[42567]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Feb 25 18:29:06 	openvpn[42567]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
      Feb 25 18:29:06 	openvpn[42567]: Initialization Sequence Completed
      Feb 25 19:21:32 	openvpn[42529]: [INFN-ICO-S2S-SERVER] Inactivity timeout (--ping-restart), restarting
      Feb 26 14:31:43 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Feb 26 14:31:43 	openvpn[42567]: TLS Error: TLS handshake failed
      Feb 26 14:32:57 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Feb 26 14:32:57 	openvpn[42567]: TLS Error: TLS handshake failed
      Feb 26 14:34:00 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Feb 26 14:34:00 	openvpn[42567]: TLS Error: TLS handshake failed
      
      

      The OpenVPN link is definitely working. I am at the server site, and am accessing the WebGUI and using ssh to gather these screenshots etc. I guess some side-effect of those TLS error messages is that the OpenVPN client management port stops talking, so no status is received.
      I see this every now and then - it has no user effects. Restarting the client service gets the status reporting back.
      OpenVPN-Client-Down.png
      OpenVPN-Client-Down.png_thumb
      OpenVPN-Client-Down-03.png
      OpenVPN-Client-Down-03.png_thumb
      OpenVPN-Client-Down-02.png
      OpenVPN-Client-Down-02.png_thumb

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.