OpenVPN Site-to-Site Client says down but is working



  • This seems similar to http://forum.pfsense.org/index.php/topic,59393.0.html - so I thought it was worth logging this. I suspect it is a "feature" of OpenVPN rather than pfSense.
    2.1-BETA1 (i386)
    built on Sun Feb 24 15:44:36 EST 2013
    Peer-to-Peer SSL/TLS OpenVPN link.
    At the client end, there is no link status available (1st screen shot).
    At the server end, it says there is a connection (2nd screen shot).
    Status->Services shows everything running (3rd screenshot).
    The client OpenVPN process is running (client2 has the issue, client3 is to another site and the status is working):

    [2.1-BETA1][admin@xxx]/root(1): ps ax | grep openvpn
    42529  ??  Ss     1:43.36 /usr/local/sbin/openvpn --config /var/etc/openvpn/client3.conf
    42567  ??  Ss     1:08.49 /usr/local/sbin/openvpn --config /var/etc/openvpn/client2.conf
    96530   0  RV     0:00.00 grep openvpn (tcsh)
    
    

    The OpenVPN logs for process 42567 (with public IPs neutralised) are:

    Feb 25 18:29:00 	openvpn[42567]: UDPv4 link local (bound): [AF_INET]11.22.33.44
    Feb 25 18:29:00 	openvpn[42567]: UDPv4 link remote: [AF_INET]55.66.77.88:5555
    Feb 25 18:29:03 	openvpn[42567]: [INFN-IBP-S2S-Server] Peer Connection Initiated with [AF_INET]55.66.77.88:5555
    Feb 25 18:29:06 	openvpn[42567]: TUN/TAP device ovpnc2 exists previously, keep at program end
    Feb 25 18:29:06 	openvpn[42567]: TUN/TAP device /dev/tun2 opened
    Feb 25 18:29:06 	openvpn[42567]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Feb 25 18:29:06 	openvpn[42567]: /sbin/ifconfig ovpnc2 10.49.252.14 10.49.252.13 mtu 1500 netmask 255.255.255.255 up
    Feb 25 18:29:06 	openvpn[42567]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1557 10.49.252.14 10.49.252.13 init
    Feb 25 18:29:06 	openvpn[42567]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Feb 25 18:29:06 	openvpn[42567]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Feb 25 18:29:06 	openvpn[42567]: Initialization Sequence Completed
    Feb 25 19:21:32 	openvpn[42529]: [INFN-ICO-S2S-SERVER] Inactivity timeout (--ping-restart), restarting
    Feb 26 14:31:43 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Feb 26 14:31:43 	openvpn[42567]: TLS Error: TLS handshake failed
    Feb 26 14:32:57 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Feb 26 14:32:57 	openvpn[42567]: TLS Error: TLS handshake failed
    Feb 26 14:34:00 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Feb 26 14:34:00 	openvpn[42567]: TLS Error: TLS handshake failed
    
    

    The OpenVPN link is definitely working. I am at the server site, and am accessing the WebGUI and using ssh to gather these screenshots etc. I guess some side-effect of those TLS error messages is that the OpenVPN client management port stops talking, so no status is received.
    I see this every now and then - it has no user effects. Restarting the client service gets the status reporting back.






Log in to reply