Connection errors when AD domain controller is off



  • Hello.

    I've faced very strange issue and need help.

    I have two Active Directory domain controllers DC1 and DC2 (Windows 2008R2) in the domain. I tuned Openvpn in pfSense to authenticate users against that DCs. Everything worked like a charm unless I turned one DC off. Users' openvpn sessions got disconnected and when they tried to get connections back, they got "TLS Error". Here is the log:

    May 21 17:49:13 gw-2 openvpn[51123]: Re-using SSL/TLS context
    May 21 17:49:13 gw-2 openvpn[51123]: LZO compression initialized
    May 21 17:49:13 gw-2 openvpn[51123]: TCP connection established with [AF_INET]xx.xx.65.70:63857
    May 21 17:49:13 gw-2 openvpn[51123]: TCPv4_SERVER link local: [undef]
    May 21 17:49:13 gw-2 openvpn[51123]: TCPv4_SERVER link remote: [AF_INET]xx.xx.65.70:63857
    May 21 17:50:29 gw-2 openvpn: : ERROR! Could not bind to server DC1.
    May 21 17:50:29 gw-2 openvpn: : Now Searching for vlad in directory.
    May 21 17:50:29 gw-2 openvpn: : Now Searching in server DC2, container CN=Users,DC=myorg,DC=biz with filter (samaccountname=vlad).
    May 21 17:50:29 gw-2 openvpn: : Logged in successfully as vlad via LDAP server DC2 with DN = CN=Vlad,CN=Users,DC=myorg,DC=biz.
    May 21 17:50:29 gw-2 openvpn: user vlad authenticated
    May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.65.70:63857 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.65.70:63857 TLS Error: TLS handshake failed
    May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.70:63857 Fatal TLS error (check_tls_errors_co), restarting
    
    

    Right after I turned DC1 back on, users were able to connect:

    May 21 18:59:26 gw-2 openvpn[52032]: Re-using SSL/TLS context
    May 21 18:59:26 gw-2 openvpn[52032]: LZO compression initialized
    May 21 18:59:26 gw-2 openvpn[52032]: TCP connection established with [AF_INET]xx.xx.65.70:51513
    May 21 18:59:26 gw-2 openvpn[52032]: TCPv4_SERVER link local: [undef]
    May 21 18:59:26 gw-2 openvpn[52032]: TCPv4_SERVER link remote: [AF_INET]xx.xx.65.70:51513
    May 21 18:59:27 gw-2 openvpn: : Now Searching for vlad in directory.
    May 21 18:59:27 gw-2 openvpn: : Now Searching in server DC1, container CN=Users,DC=myorg,DC=biz with filter (samaccountname=vlad).
    May 21 18:59:27 gw-2 openvpn: : Logged in successfully as vlad via LDAP server DC1 with DN = CN=Vlad,CN=Users,DC=myorg,DC=biz.
    May 21 18:59:27 gw-2 openvpn: user vlad authenticated
    May 21 18:59:27 gw-2 openvpn[52032]: xx.xx.65.70:51513 [vlad] Peer Connection Initiated with [AF_INET]xx.xx.65.70:51513
    May 21 18:59:27 gw-2 openvpn[52032]: vlad/xx.xx.65.70:51513 MULTI_sva: pool returned IPv4=192.168.210.10, IPv6=54da:bfbf:cc:4ddd:78d7:bfbf:391:608
    May 21 18:59:29 gw-2 openvpn[52032]: vlad/xx.xx.65.70:51513 send_push_reply(): safe_cap=960
    
    

    Openvpn server config:

    # cat /var/etc/openvpn/server1.conf
    dev ovpns1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local yy.yy.225.172
    tls-server
    server 192.168.210.0 255.255.255.192
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server1.php via-env
    tls-verify /var/etc/openvpn/server1.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 172.26.0.0 255.255.0.0"
    push "dhcp-option DOMAIN myorg.biz"
    push "dhcp-option DNS 172.26.1.2"
    push "dhcp-option DNS 172.26.1.20"
    push "dhcp-option NTP 172.26.1.1"
    client-to-client
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    crl-verify /var/etc/openvpn/server1.crl-verify
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo
    passtos
    persist-remote-ip
    float
    push "route 172.27.0.0 255.255.0.0"
    
    

    Any help is appreciated!


Locked