OpenVPN Site-to-Site Client says down but is working
-
This seems similar to http://forum.pfsense.org/index.php/topic,59393.0.html - so I thought it was worth logging this. I suspect it is a "feature" of OpenVPN rather than pfSense.
2.1-BETA1 (i386)
built on Sun Feb 24 15:44:36 EST 2013
Peer-to-Peer SSL/TLS OpenVPN link.
At the client end, there is no link status available (1st screen shot).
At the server end, it says there is a connection (2nd screen shot).
Status->Services shows everything running (3rd screenshot).
The client OpenVPN process is running (client2 has the issue, client3 is to another site and the status is working):[2.1-BETA1][admin@xxx]/root(1): ps ax | grep openvpn 42529 ?? Ss 1:43.36 /usr/local/sbin/openvpn --config /var/etc/openvpn/client3.conf 42567 ?? Ss 1:08.49 /usr/local/sbin/openvpn --config /var/etc/openvpn/client2.conf 96530 0 RV 0:00.00 grep openvpn (tcsh)
The OpenVPN logs for process 42567 (with public IPs neutralised) are:
Feb 25 18:29:00 openvpn[42567]: UDPv4 link local (bound): [AF_INET]11.22.33.44 Feb 25 18:29:00 openvpn[42567]: UDPv4 link remote: [AF_INET]55.66.77.88:5555 Feb 25 18:29:03 openvpn[42567]: [INFN-IBP-S2S-Server] Peer Connection Initiated with [AF_INET]55.66.77.88:5555 Feb 25 18:29:06 openvpn[42567]: TUN/TAP device ovpnc2 exists previously, keep at program end Feb 25 18:29:06 openvpn[42567]: TUN/TAP device /dev/tun2 opened Feb 25 18:29:06 openvpn[42567]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Feb 25 18:29:06 openvpn[42567]: /sbin/ifconfig ovpnc2 10.49.252.14 10.49.252.13 mtu 1500 netmask 255.255.255.255 up Feb 25 18:29:06 openvpn[42567]: /usr/local/sbin/ovpn-linkup ovpnc2 1500 1557 10.49.252.14 10.49.252.13 init Feb 25 18:29:06 openvpn[42567]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 Feb 25 18:29:06 openvpn[42567]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 Feb 25 18:29:06 openvpn[42567]: Initialization Sequence Completed Feb 25 19:21:32 openvpn[42529]: [INFN-ICO-S2S-SERVER] Inactivity timeout (--ping-restart), restarting Feb 26 14:31:43 openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Feb 26 14:31:43 openvpn[42567]: TLS Error: TLS handshake failed Feb 26 14:32:57 openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Feb 26 14:32:57 openvpn[42567]: TLS Error: TLS handshake failed Feb 26 14:34:00 openvpn[42567]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Feb 26 14:34:00 openvpn[42567]: TLS Error: TLS handshake failed
The OpenVPN link is definitely working. I am at the server site, and am accessing the WebGUI and using ssh to gather these screenshots etc. I guess some side-effect of those TLS error messages is that the OpenVPN client management port stops talking, so no status is received.
I see this every now and then - it has no user effects. Restarting the client service gets the status reporting back.