Inactivity timeout PFsense(OVPN Client) <> OVPN-Srv

vitafit

Dear all,

i got some strange behavior about getting an OpenVPN-Tunel working. First before i discribe my problem i will tell you what my network structure is like:
2x different physical Debian OpenVPN Server, reachable via external ip addresses (one via TAP / one via TUN).
1x Pfsense-Installation which should act as an OpenVPN client.


The pfsense has configured only one WAN-Interface, which will receive an IP-Adresse via DHCP and is able to connect external. So we do not have some basic network problems. My Problem: My OpenVPN tunnel is up, i can ping (via transfer-subnet, no routing between) all the hosts and everything is working fine. After about 50-100 ICMP pakets the connection is broken in case of an inactivity timeout:
Mar 27 14:12:07 	openvpn[6372]: Initialization Sequence Completed
Mar 27 14:12:07 	openvpn[6372]: Preserving previous TUN/TAP instance: ovpnc1
Mar 27 14:12:05 	openvpn[6372]: [extranet.domain.de] Peer Connection Initiated with [AF_INET]XXXXXXXX:11972
Mar 27 14:12:05 	openvpn[6372]: UDPv4 link remote: [AF_INET]XXXXXXXX:11972
Mar 27 14:12:05 	openvpn[6372]: UDPv4 link local (bound): [AF_INET]192.168.240.159
Mar 27 14:12:05 	openvpn[6372]: LZO compression initialized
Mar 27 14:12:05 	openvpn[6372]: Re-using SSL/TLS context
Mar 27 14:12:05 	openvpn[6372]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 27 14:12:05 	openvpn[6372]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mar 27 14:12:03 	openvpn[6372]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 27 14:12:03 	openvpn[6372]: [extranet.domain.de] Inactivity timeout (--ping-restart), restarting
Mar 27 14:08:06 	openvpn[6372]: Initialization Sequence Completed
Mar 27 14:08:06 	openvpn[6372]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1574 172.30.200.76 255.255.255.0 init
Mar 27 14:08:06 	openvpn[6372]: /sbin/ifconfig ovpnc1 172.30.200.76 netmask 255.255.255.0 mtu 1500 up
Mar 27 14:08:06 	openvpn[6372]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mar 27 14:08:06 	openvpn[6372]: TUN/TAP device /dev/tap1 opened
Mar 27 14:08:06 	openvpn[6372]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.4.0.0
Mar 27 14:08:06 	openvpn[6372]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
Mar 27 14:08:04 	openvpn[6372]: [extranet.domain.de] Peer Connection Initiated with [AF_INET]XXXXXXXX:11972
Mar 27 14:08:03 	openvpn[6372]: UDPv4 link remote: [AF_INET]XXXXXXXX:11972
Mar 27 14:08:03 	openvpn[6372]: UDPv4 link local (bound): [AF_INET]192.168.240.159
Mar 27 14:08:03 	openvpn[6035]: LZO compression initialized
Mar 27 14:08:03 	openvpn[6035]: Initializing OpenSSL support for engine 'cryptodev'
Mar 27 14:08:03 	openvpn[6035]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 27 14:08:03 	openvpn[6035]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mar 27 14:08:03 	openvpn[6035]: WARNING: using --pull/--client and --ifconfig together is probably not what you want
Mar 27 14:08:03 	openvpn[6035]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 6 2012

Mar 27 14:16:12 	openvpn[6372]: [extranet.domain.de] Peer Connection Initiated with [AF_INET]XXXXXXXX:11972
Mar 27 14:16:04 	openvpn[6372]: UDPv4 link remote: [AF_INET]XXXXXXXX:11972
Mar 27 14:16:04 	openvpn[6372]: UDPv4 link local (bound): [AF_INET]192.168.240.159
Mar 27 14:16:04 	openvpn[6372]: LZO compression initialized
Mar 27 14:16:04 	openvpn[6372]: Re-using SSL/TLS context
Mar 27 14:16:04 	openvpn[6372]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 27 14:16:04 	openvpn[6372]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mar 27 14:16:02 	openvpn[6372]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 27 14:16:02 	openvpn[6372]: [extranet.domain.de] Inactivity timeout (--ping-restart), restarting

My client configuration is like this:
persist-key;
persist-tun;
comp-lzo;
verb 3;
route 10.4.0.0 255.255.0.0 172.30.200.1;

I tried along the afternoon serveral configuration proposals about reconnecting on connection problems. I checked my time. Everthing is OK. So now let's get strange:

Using an old (about 1 year) certificate: Connection is up, no timeouts.
Using an new (about 2 days) generated certificate: Connection is broken like described above with exactly the same configuration!

Another strange fact: I will get exactly the same behavior on the two different servers, which run different openvpn-server versions. One with an up-to-date version and the other with an about 1 year old version. But i will get the same issue.

Another important fact: Using the certificates (doesn't matter if the new or the old one) on an windows-vpn client for example will work fine!
Last important fact: Using an Pfsense to Pfsense OpenVPN will work without any problems! (Please don't ask me to only use pfsense<>pfsense, thats unfortunately no option…)

So any idea about this? I think this could only make sense if my system-time wasn't correct - but it is. I used an ntp-server. And no basic network connection problems, no firewall rules no other stuff. So he had one job :-D

Best regards
vitafit

vitafit

push

soul710

Were you able to resolve this issue yet? I'm having the exact same problems. In fact, my OpenVPN log shows reconnects every 60 seconds and I don't know what to do :(

jimp

The 60-second timeout is a generic timeout error, not indicative of any specific problem. The server-side logs are better indications of the problem in these cases.

Most likely explanations:

Server side blocking the traffic in firewall rules (or failing to pass it, as the case may be)
ISP/Uplink blocking the traffic
Time mismatch between client and server
Certificate/CA mismatch between client and server
TLS Key mismatch between client and server
Other setting mismatch between client and server

The exact mismatch or error would be found in the server logs.

soul710

@jimp:

The 60-second timeout is a generic timeout error, not indicative of any specific problem. The server-side logs are better indications of the problem in these cases.

Most likely explanations:

Server side blocking the traffic in firewall rules (or failing to pass it, as the case may be)

ISP/Uplink blocking the traffic

Time mismatch between client and server

Certificate/CA mismatch between client and server

TLS Key mismatch between client and server

Other setting mismatch between client and server

The exact mismatch or error would be found in the server logs.

I can't find any useful information neither in the server logs nor in the client logs. Again the info: Once the connection is established, I can access the hosts on the other side of the vpn just perfectly fine, until the connection is again restarted. So this should not be a certificate/key mismatch issue, right?

Here is my log files:

Server:


Fri May 3 12:06:07 2013 Listening for incoming TCP connection on xxx.xxx.xxx.xxx:yyyy
Fri May 3 12:06:17 2013 TCP connection established with xxx.xxx.xxx.xxx:yyyy
Fri May 3 12:06:17 2013 TCPv4_SERVER link local (bound): xxx.xxx.xxx.xxx:yyyy
Fri May 3 12:06:17 2013 TCPv4_SERVER link remote: xxx.xxx.xxx.xxx:yyyy
Fri May 3 12:06:19 2013 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.0.1.209 10.0.1.210'
Fri May 3 12:06:19 2013 [User_Name] Peer Connection Initiated with xxx.xxx.xxx.xxx:yyyy
Fri May 3 12:06:20 2013 Initialization Sequence Completed

Fri May 3 12:06:54 2013 Connection reset, restarting [0]
Fri May 3 12:06:54 2013 SIGUSR1[soft,connection-reset] received, process restarting
Fri May 3 12:06:55 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri May 3 12:06:55 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri May 3 12:06:55 2013 Re-using SSL/TLS context
Fri May 3 12:06:55 2013 LZO compression initialized
Fri May 3 12:06:55 2013 Preserving previous TUN/TAP instance: tun6
Fri May 3 12:06:55 2013 Listening for incoming TCP connection on xxx.xxx.xxx.xxx:yyyy

(repeat the above)

Client:


May 3 12:03:51	openvpn[49287]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
May 3 12:03:51	openvpn[49287]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1544 10.0.1.210 10.0.1.209 init
May 3 12:03:52	openvpn[49287]: TUN/TAP device /dev/tun1 opened
May 3 12:03:52	openvpn[49287]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 3 12:03:52	openvpn[49287]: /sbin/ifconfig ovpnc1 10.0.1.210 10.0.1.209 mtu 1500 netmask 255.255.255.255 up
May 3 12:03:52	openvpn[49287]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1544 10.0.1.210 10.0.1.209 init
May 3 12:03:52	openvpn[49287]: Initialization Sequence Completed

May 3 12:04:51	openvpn[49287]: [VPN_Gateway] Inactivity timeout (--ping-restart), restarting
May 3 12:04:51	openvpn[49287]: SIGUSR1[soft,ping-restart] received, process restarting
May 3 12:04:56	openvpn[49287]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
May 3 12:04:56	openvpn[49287]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 12:04:56	openvpn[49287]: Re-using SSL/TLS context
May 3 12:04:56	openvpn[49287]: LZO compression initialized
May 3 12:05:01	openvpn[49287]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:yyyy [nonblock]
May 3 12:05:02	openvpn[49287]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:yyyy
May 3 12:05:02	openvpn[49287]: TCPv4_CLIENT link local: [undef]
May 3 12:05:02	openvpn[49287]: TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:yyyy
May 3 12:05:04	openvpn[49287]: WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.0.1.210 10.0.1.209'
May 3 12:05:04	openvpn[49287]: [VPN_Gateway] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:yyyy
May 3 12:05:06	openvpn[49287]: Preserving previous TUN/TAP instance: ovpnc1
May 3 12:05:06	openvpn[49287]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
May 3 12:05:06	openvpn[49287]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1544 10.0.1.210 10.0.1.209 init
May 3 12:05:07	openvpn[49287]: TUN/TAP device /dev/tun1 opened
May 3 12:05:07	openvpn[49287]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 3 12:05:07	openvpn[49287]: /sbin/ifconfig ovpnc1 10.0.1.210 10.0.1.209 mtu 1500 netmask 255.255.255.255 up
May 3 12:05:07	openvpn[49287]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1544 10.0.1.210 10.0.1.209 init
May 3 12:05:07	openvpn[49287]: Initialization Sequence Completed

May 3 12:06:06	openvpn[49287]: [VPN_Gateway] Inactivity timeout (--ping-restart), restarting
May 3 12:06:06	openvpn[49287]: SIGUSR1[soft,ping-restart] received, process restarting
May 3 12:06:11	openvpn[49287]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
May 3 12:06:11	openvpn[49287]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 3 12:06:11	openvpn[49287]: Re-using SSL/TLS context
May 3 12:06:11	openvpn[49287]: LZO compression initialized
May 3 12:06:16	openvpn[49287]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:yyyy [nonblock]
May 3 12:06:17	openvpn[49287]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:yyyy
May 3 12:06:17	openvpn[49287]: TCPv4_CLIENT link local: [undef]
May 3 12:06:17	openvpn[49287]: TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:yyyy
May 3 12:06:19	openvpn[49287]: WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.0.1.210 10.0.1.209'
May 3 12:06:19	openvpn[49287]: [VPN_Gateway] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:yyyy
May 3 12:06:21	openvpn[49287]: Preserving previous TUN/TAP instance: ovpnc1
May 3 12:06:21	openvpn[49287]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
May 3 12:06:21	openvpn[49287]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1544 10.0.1.210 10.0.1.209 init
May 3 12:06:22	openvpn[49287]: TUN/TAP device /dev/tun1 opened
May 3 12:06:22	openvpn[49287]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 3 12:06:22	openvpn[49287]: /sbin/ifconfig ovpnc1 10.0.1.210 10.0.1.209 mtu 1500 netmask 255.255.255.255 up
May 3 12:06:22	openvpn[49287]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1544 10.0.1.210 10.0.1.209 init
May 3 12:06:22	openvpn[49287]: Initialization Sequence Completed

soul710

Following this post I tried to set the ping timeout to 10 minutes. The only result, however, was that now the connection is re-established every 10 minutes (instead of every minute). When I keep using the connection (e.g. leave a terminal open on a remote host that loops a command or something) the connection is not reset.

This makes me believe that the keep-alive mechanism is just plain not working, or maybe the firewall is blocking the keep-alive packets. What setting would I have to check in this case?

jimp

The keep-alive "pings" are part of the OpenVPN protocol, they aren't sent on any different path that could be blocked. If the VPN traffic flows, the keep-alive packets would also be flowing.

Check the VPN logs on both sides, and the actual OpenVPN configuration files on both sides (in /var/etc/openvpn/ on pfSense, client configs vary) to see what the settings are for that.

soul710

@jimp:

The keep-alive "pings" are part of the OpenVPN protocol, they aren't sent on any different path that could be blocked. If the VPN traffic flows, the keep-alive packets would also be flowing.

Check the VPN logs on both sides, and the actual OpenVPN configuration files on both sides (in /var/etc/openvpn/ on pfSense, client configs vary) to see what the settings are for that.

I've already posted my client and server logs above. Since im no expert in neither openvpn nor pfsense, I hoped that someone could examine the logs for me. In my opinion the logs look good, and don't indicate any kind of problem at all, the connection just suddenly gets restarted.

Reiner030

Fri May 3 12:06:19 2013 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.0.1.209 10.0.1.210'

Do you opened the firewall rules on device "openvpn" for this IPs? You need public and "internal" rules ;)

soul710

I was just able to solve the problem. My server side config had "ping restart" configured, which I replaced by "keepalive", now the connection is not restarted anymore :)