Connection errors when AD domain controller is off

jazzl0ver

Hello.

I've faced very strange issue and need help.

I have two Active Directory domain controllers DC1 and DC2 (Windows 2008R2) in the domain. I tuned Openvpn in pfSense to authenticate users against that DCs. Everything worked like a charm unless I turned one DC off. Users' openvpn sessions got disconnected and when they tried to get connections back, they got "TLS Error". Here is the log:

May 21 17:49:13 gw-2 openvpn[51123]: Re-using SSL/TLS context
May 21 17:49:13 gw-2 openvpn[51123]: LZO compression initialized
May 21 17:49:13 gw-2 openvpn[51123]: TCP connection established with [AF_INET]xx.xx.65.70:63857
May 21 17:49:13 gw-2 openvpn[51123]: TCPv4_SERVER link local: [undef]
May 21 17:49:13 gw-2 openvpn[51123]: TCPv4_SERVER link remote: [AF_INET]xx.xx.65.70:63857
May 21 17:50:29 gw-2 openvpn: : ERROR! Could not bind to server DC1.
May 21 17:50:29 gw-2 openvpn: : Now Searching for vlad in directory.
May 21 17:50:29 gw-2 openvpn: : Now Searching in server DC2, container CN=Users,DC=myorg,DC=biz with filter (samaccountname=vlad).
May 21 17:50:29 gw-2 openvpn: : Logged in successfully as vlad via LDAP server DC2 with DN = CN=Vlad,CN=Users,DC=myorg,DC=biz.
May 21 17:50:29 gw-2 openvpn: user vlad authenticated
May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.65.70:63857 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.65.70:63857 TLS Error: TLS handshake failed
May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.70:63857 Fatal TLS error (check_tls_errors_co), restarting

Right after I turned DC1 back on, users were able to connect:

May 21 18:59:26 gw-2 openvpn[52032]: Re-using SSL/TLS context
May 21 18:59:26 gw-2 openvpn[52032]: LZO compression initialized
May 21 18:59:26 gw-2 openvpn[52032]: TCP connection established with [AF_INET]xx.xx.65.70:51513
May 21 18:59:26 gw-2 openvpn[52032]: TCPv4_SERVER link local: [undef]
May 21 18:59:26 gw-2 openvpn[52032]: TCPv4_SERVER link remote: [AF_INET]xx.xx.65.70:51513
May 21 18:59:27 gw-2 openvpn: : Now Searching for vlad in directory.
May 21 18:59:27 gw-2 openvpn: : Now Searching in server DC1, container CN=Users,DC=myorg,DC=biz with filter (samaccountname=vlad).
May 21 18:59:27 gw-2 openvpn: : Logged in successfully as vlad via LDAP server DC1 with DN = CN=Vlad,CN=Users,DC=myorg,DC=biz.
May 21 18:59:27 gw-2 openvpn: user vlad authenticated
May 21 18:59:27 gw-2 openvpn[52032]: xx.xx.65.70:51513 [vlad] Peer Connection Initiated with [AF_INET]xx.xx.65.70:51513
May 21 18:59:27 gw-2 openvpn[52032]: vlad/xx.xx.65.70:51513 MULTI_sva: pool returned IPv4=192.168.210.10, IPv6=54da:bfbf:cc:4ddd:78d7:bfbf:391:608
May 21 18:59:29 gw-2 openvpn[52032]: vlad/xx.xx.65.70:51513 send_push_reply(): safe_cap=960

Openvpn server config:

# cat /var/etc/openvpn/server1.conf
dev ovpns1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local yy.yy.225.172
tls-server
server 192.168.210.0 255.255.255.192
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 172.26.0.0 255.255.0.0"
push "dhcp-option DOMAIN myorg.biz"
push "dhcp-option DNS 172.26.1.2"
push "dhcp-option DNS 172.26.1.20"
push "dhcp-option NTP 172.26.1.1"
client-to-client
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
crl-verify /var/etc/openvpn/server1.crl-verify
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
passtos
persist-remote-ip
float
push "route 172.27.0.0 255.255.0.0"

Any help is appreciated!