OpenVPN Site-to-Site Client says down but is working

phil.davis

This seems similar to http://forum.pfsense.org/index.php/topic,59393.0.html - so I thought it was worth logging this. I suspect it is a "feature" of OpenVPN rather than pfSense.
2.1-BETA1 (i386)
built on Sun Feb 24 15:44:36 EST 2013
Peer-to-Peer SSL/TLS OpenVPN link.
At the client end, there is no link status available (1st screen shot).
At the server end, it says there is a connection (2nd screen shot).
Status->Services shows everything running (3rd screenshot).
The client OpenVPN process is running (client2 has the issue, client3 is to another site and the status is working):

[2.1-BETA1][admin@xxx]/root(1): ps ax | grep openvpn
42529  ??  Ss     1:43.36 /usr/local/sbin/openvpn --config /var/etc/openvpn/client3.conf
42567  ??  Ss     1:08.49 /usr/local/sbin/openvpn --config /var/etc/openvpn/client2.conf
96530   0  RV     0:00.00 grep openvpn (tcsh)

The OpenVPN logs for process 42567 (with public IPs neutralised) are:

Feb 25 18:29:00 	openvpn[42567]: UDPv4 link local (bound): [AF_INET]11.22.33.44
Feb 25 18:29:00 	openvpn[42567]: UDPv4 link remote: [AF_INET]55.66.77.88:5555
Feb 25 18:29:03 	openvpn[42567]: [INFN-IBP-S2S-Server] Peer Connection Initiated with [AF_INET]55.66.77.88:5555
Feb 25 18:29:06 	openvpn[42567]: TUN/TAP device ovpnc2 exists previously, keep at program end
Feb 25 18:29:06 	openvpn[42567]: TUN/TAP device /dev/tun2 opened
Feb 25 18:29:06 	openvpn[42567]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Feb 25 18:29:06 	openvpn[42567]: /sbin/ifconfig ovpnc2 10.49.252.14 10.49.252.13 mtu 1500 netmask 255.255.255.255 up
Feb 25 18:29:06 	openvpn[42567]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1557 10.49.252.14 10.49.252.13 init
Feb 25 18:29:06 	openvpn[42567]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Feb 25 18:29:06 	openvpn[42567]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Feb 25 18:29:06 	openvpn[42567]: Initialization Sequence Completed
Feb 25 19:21:32 	openvpn[42529]: [INFN-ICO-S2S-SERVER] Inactivity timeout (--ping-restart), restarting
Feb 26 14:31:43 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 26 14:31:43 	openvpn[42567]: TLS Error: TLS handshake failed
Feb 26 14:32:57 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 26 14:32:57 	openvpn[42567]: TLS Error: TLS handshake failed
Feb 26 14:34:00 	openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 26 14:34:00 	openvpn[42567]: TLS Error: TLS handshake failed

The OpenVPN link is definitely working. I am at the server site, and am accessing the WebGUI and using ssh to gather these screenshots etc. I guess some side-effect of those TLS error messages is that the OpenVPN client management port stops talking, so no status is received.
I see this every now and then - it has no user effects. Restarting the client service gets the status reporting back.